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0 Method and apparatus for Implementing electronic cash. 

0 In an eiectronic cash implementing method, a user makes a bank apply a blind signature to user Information 
Vi praduced. by a one-way function, from secret information SI containing identification infomiation, thereby 
obtaining signed user information. Further, the user makes the bank apply a blind signature to information 
containing authentication information Xi produced, by a one-way function, from random information Ri, thereby 
obtaining signed authentication information. The user (200) uses an information group containing the signed user 
information, the signed authentication information, the user information and the authentication information, as 
electronic cash for payment to a shop. The shop (300) verifies the validity of the signed user information and the 
signed authentication information, and produces and sends to the user an inquiry. In response to the inquiry the 
user produces a response Yi by using secret information and. random information and sends it to the shop. 
Having verified the validity of the response the shop accepts the electronic cash. 
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METHOD AND APPARATUS FOR IMPLEMENTING ELECTRONIC CASH 



BACKGROUND OF THE INVENTION 

The present invention relates to a method and apparatus for implementing electronic cash through 
utilization of a telecommunication system. 

5 An electronic funds transfer employing a telecommunication system is now coming into common use. 
In general, a certificate which is convertible into money at a financial institution (hereinafter referred to 
simply as a bank), such as a draft or check, has a symbolic function of its own (which guarantees its holder 
to the rights stated thereon). When handled in the telecommunication system, the certificate is digitized 
data, which can easily be copied and converted into money many times. This problem is encountered as 

10 well in the implementation of electronic cash such as a prepaid card, because the prepaid card can also be 
copied for illicit use to convert into money or purchase articles again and again. 

As a solution to this problem, there has been proposed a scheme which employs a card having a 
computation facility and checks its double usage by suitably adapting data exchange between a card reader 
and the card during cashing procedure (Chaum. Rat and Naor. "Untraceable Electronic Cash". Proc. of 

15 CRYPTO. •88, for example). 

The above-mentioned Chaum. et al. scheme may be briefly summarized in the following outline. 
Incidentally, user's identification information (such as his account number, etc.) wilt hereinafter be repre* 
sented by ID. 

A description will be given first of the procedure for a user to have a bank issue electronic cash of a 
20 certain face value. 

Step 1: The user creates k random numbeis ai (where i = 1. k) and uses a public one-way function 
g to obtain Xt and y,* from the following equations: 
Xi = g(a() 
yi = g(ai o ID) 
26 where i = l. .... k. 

In the above. ® represents an Exclusive OR logic operation. 

Step 2: The user computes, by the following equation, the product Br of a value f(Xi. yr) computed using 
a public one-way function f and the e-th power of a random number n, and then presents the value Bi to the 
bank. 

30 Bi = r? X f (Xi , yi) mod n , 
where i= 1. .... k 

The calculation of Bf is preprocessing for obtaining a signature of the bank to f(Xi. yO without allowing the 
bank to know its contents, and will hereinafter be called blind signature preprocessing. Here, a mod b 
generally represents the remainder of the division of an integer a by an integer b. 

35 Step 3: The bank makes the user open his ID and k/2 random numbers di and n to confirm that the user 
has correctly executed Steps 1 and 2. The following description will be given on the assumption that the 
random numbers ai and u are not opened for those i = t , k/2. 

Step 4: The bank obtains the product of unopened k/2 values Bj and raises it to the d-th power to 
compute a signature D as indicated by the following equation. At the same time, the bank withdraws the 

40 con^esponding amount of money from the user's account. 

D - n B i ood a 

45 

Step 5: The user computes, by the following equation, electronic cash C with the influence of the 
random number u removed from the signature D. 

50 It/2 

C = n r i ood n 
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At this time, the following equation holds: 

C = !l* f , yi)** mod n , 



is I 



The electronic cash obtained by this processing Is equivalent to the value f(Xi, yi) directly applied with the 
signature of the bank. Here, e. d and n are created by the bank and satisfy the following equations, 
n = P X Q 

i = LCM{P-1). (Q-1)},and 
e X d = 1 (mod i) 

where P and Q are prime numbers and LCM{a. b} generally represents the least common multiple of a and 
b. The bank publishes the information e corresponding to the face value of the electronic cash C and the 
key n and keeps the key d strictly confidential. 

The procedure for the user to pay with the electronic cash C at a shop is as follows: 

Step 6: The user presents the electronic cash C to the shop. 

Step 7: The shop creates and transmits a random bit string Ei , .... to the user. 

Step 8: For an unopened item i in 1 ^ i ^ k/2. the user presents, to the shop, ai and yi when E] = 1, and 
xi and (ai ® ID) when E| = 0. 

Step 9: The shop checks the validity of the electronic cash C by the following equation, using the user's 
response and the public information e and n. 

C* = f (Xi 1 yi)(ood n). 



The method of settlement between the shop and the bank is as follows: 

Step 10: The shop later presents the electronic cash C, the bit string Ei. .... Ejt/a and the user's 
^0 response (at and y{, or xi and (ai o ID)) and receives payment of the amount of money concerned. 

Step 11: The bank stores the electronic cash C. the bit string Et Ewz and ai (when E| = i), or (a? e 

1D) (when E[ = 0). 

The scheme described above has its features in that it maintains user privacy and permits checking 
double usage of the electronic cash. 
35 Now, a description will be given first of the security for user privacy. Since the information B is obtained 
by randomizing the value f(Xj, yi) with random numbers, the bank and a third party cannot assume the value 
f(Xi. yi) from the information B. Further, even if the bank and the shop should conspire, they could not 
associate the electronic cash C with the signature 0. In other words, it is impossible to know who issued the 
electronic cash C. Thus, the method proposed by Chaum, et al. does not allow the originator (i.e. the users 
^ to be traced back, and hence ensures the privacy of the user, such as his propensity to consume. The 
signature scheme used here will hereinafter be referred to as the "blind signature" scheme. 

As the blind signature scheme, for instance. Chaum proposes in U.S. Patent No. 4,759,063 the following 
blind signature scheme utilizing the RSA encryption scheme. 

A user randomizes a message M with a one-way function Foa expressed by the following equation (1) 
^ using a random number r 

W = Fe A (M) = r«A x M mod n (1) 

and sends the resulting randomized message W to a bank. This processing by the one-way function FeA is 

the blind signature preprocessing. 

The bank signs the randomized message W with a signature function DeA expressed by the following 
50 equation (2) to obtain a signed randomized message fl, which is sent to the user. 

Q = DeA(W) =W<*A modn (2) 

The user processes the signed randomized message Q with a blind signature postprocessing function 

HeA expressed by the following equation (3): 

HeA(n) = n/r mod n (3) 
55 In the above, oa. dA and n in Eqs. (1), (2) and (3) are to satisfy the following conditions: 

Oa X dA^ 1 (mod 1). 

1 - LCM{(P-1). (Q-1)}, and 

n = P X Q, 
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where P and Q are prime numbers, LCM{a, b} is the least common multiple of a and b. dA is a secret key, 
and eA and n are public keys. 

Eq. (3) can be modified as follows: 
HeA(Q) = HeA {DeA(FeA (M))} - (r^A xM)^a / ^ ^ ^ba x dA ^ ^df^ ^ ^ ^dA (p^od (4) 

The right side of Eq. (4) is evidently the replacement of W in Eq. (2) with M. Accordingly, the following 
equation holds: 
HeA(fl) = DeA(M) (5) 

These equations (1), (2) and (3) are representative of the blind signature procedure, and Eq. (4) proves that 
the blind signature is possible. That is to say. the Influence of the random number r can be removed from 
the signed randomized message Q by processing it with the blind signature postprocessing function He^. 
Hence, it is possible to obtain the same signed message DeA(M) as the message M directly signed by the 
bank using the signature function Doa. 

Next a description will b& given of the detection of double usage of the electronic cash C. The bank 
compares the electronic cash C sent from the shop with all electronic cash already stored in a memory to 
check whether the same electronic cash C has been used twice. Suppose that the user has invalidly used 
the electronic cash twice. Then, since at for Ej = 1 or (a,- e ID) for E^ = 0 has been stored in the memory of 
the bank corresponding to the first electronic cash C, the identification information ID can be obtained by 
computing aj ® (at © ID) If Ej for the first use of the electronic cash C and Ei for the second use differ. Since 
the bank makes an inquiry of k/2 bits, the probability of coincidence through all bits (i = 1 to k/2) between 
the two Ej's, that Is. the possibility that the user's ID cannot be computed from the electronic cash C used 
twice invalidly, is 2"'*^. 

In addition to the requirement for the one-way property of the functions f and g, the above-described 
Chaum. et al. scheme requires the collision-free property of two arguments, that is, difficulty in finding (x. y) 
and (x. y') which satisfy Z = f(x, y) = f(x'. y') for securing safety against double usage of electronic cash. 
However, no method has been proposed so far which constructs the one-way functions which satisfy the 
collision-free property of the two arguments. 



SUMMARY OF THE INVENTION 

Accordingly, it is an object of the present invention to provide an electronic cash implementing method 
and apparatus therefor which permit checking of double usage of electronic cash without necessitating the 
use of the function f involving a specific requirement and which ensure user privacy. 

The electronic cash implementing method according to the present invention is a method for use in 
electronic cash processing in which a user uses electronic cash issued from a bank, and a shop receives 
and settles it with the bank. 

The user generates user information (Vi) from secret information (Si) containing his identification 
information (IDp) in a raw form, creates randomized user information (Wi) by randomizing the user 
information (Vi) or information (Mi) containing it through use of a blind signature preprocessor, and sends 
the randomized user information (Wi) to the bank. 

The bank signs the randomized user information (Wi) by the use of signing equipment and then 
transmits the signed-randomized user information (Qi) to the user. 

The user removes, by a blind signature postprocessor, the influence of the randomization from the 
signed-randomized user information received from the bank, thereby obtaining signed user information (Bvi, 
Bi. or B) signed by the bank. 

The user generates authentication information (Xi) from random number infonmation (Ri) through use of 
a first message calculator and randomizes the authentication information or Information m containing it by 
the blind signature preprocessor to obtain randomized authentication information (2i or Z). which is sent to 
the bank. 

The bank signs the randomized authentication information (Zi or Z) by the signing equipment and then 
sends the signed-randomized authentication information (01 or 9) to the user. 

The user removes the influence of randomization from the signed-randomized authentication information 
by the blind signature postprocessor to obtain signed authentication information (Bxi or 0). 

When purchasing an article at a shop, the user presents, as electronic cash, the user information, the 
authentication information, the signed user information and the signed authentication information. 

The shop verifies the validity of the signed user infonnation and the signed authentication information 
by use of verification equipment Further, the shop sends to the user an Inquiry (qi) prepared based on 
information of ttre shop itself. In response to the inquiry from the shop the user presents thereto a response 
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(Yi) prepared through utilization of the secret Information (Si), the random number information (Ri) and the 
inquiry. 

The shop checks the response to verify that the user infbnnation and the authentication information are 
the user's Information, and hence the electronic cash is valid. Then the shop sends the user's presented 
5 infomnation, the inquiry and the response thereto to the banl< for settlement of accounts. 

The banl< verifies the validity of the signed user infomnation and the signed authentication Information 
by means of verification equipment. Having confirmed the validity of the both information, the bank makes a 
check on its memory for the presence of the same pair of information as ^e pair of received user 
information and authentication information. If the same pair of information is found, the bank computes the 
10 secret infonmation of the user from the two pairs of user infonmation and authentication information to 
identify the user, if the same pair of information is not found, the bank stores the received information in the 
memory. 

As described above, according to the present invention, since the blind signature is applied to each of 
the user infomnation prepared from the secret infbnnation containing the identification information and the 

15 authentication information based on the random number infonmation, functions for producing the user 
information and the authentication infomnation do not encounter the problem of the two-argument collision- 
free property. Hence, desired functions can be constructed. 

Moreover, if the signed user information once obtained is used as a license (Bi or B} issued by the 
bank, and if the afore-mentioned signed authentication infbnnation obtained by having the bank sign 

20 information which has the authentication infomnation (XI) and the license (Bi or B) concatenated as required, 
is used as an electronic coin issued by the bank, then the procedure for issuing the electronic coin can be 
simplified, besides the electronic coin can be transferred and/or used more than once. 



25 BRIEF DESCRIPTION OF THE DRAWINGS 

Rg. 1 is a diagram showing the relationships among a bank 100, users 200 and shops 300 to which 
the present invention Is applied; 

Rg. 2A is a flowchart showing the procedure for the issuance of an electronic cash between tiie bank 
30 100 and the user 200 in a first embodiment of the present invention; 

Rg. 2B is a flowchart showing the procedure for the use of the electronic cash between the user 200 
and tiie shop 300 in the first embodiment of the invention; 

Rg. 2C is a flowchart showing the procedure for the settlement of accounts between the bank 100 
and the shop 300 in the first embodiment of tiie invention; 
35 Rg. 2D is flowchart showing a double usage checldng procedure by the bank 100 in Fig. 20; 

Rg. 3 is a functional block diagram of the user 200 in tiie first embodiment of the invention; 
Rg. 4 is a functional block diagram of tiie bank 100 in tiie first embodiment of tiie invention; 
Rg. 5 is a functional block diagram of tiie shop 300 In tiie first embodiment of the invention; 
Rg. 6 A is a flowchart showing the procedure for tiie issuance of a license between tiie bank 100 and 
40 the user 200 in a second embodiment of the present invention; 

Rg. 6B is a flowchart showing the procedure for the issuance of an electronic coin between tiie bank 
100 and the user 200 in the second embodiment of the invention; 

Rg. 60 is a flowchart showing tiie procedure for tfie use of tiie electronic coin between tiie user 200 
and tiie shop 300 in tiie second embodiment of the invention; 
45 Rg. 6D is a flowchart showing the procedure for the settlement of accounts between the bank 100 

and the shop 300 in the second embodiment of the invention; 

Rg. 7A shows functional block diagrams of the bank 100 and the user 200 in Fig. 6A; 
Rg. 7B shows functional biock diagrams of the bank 100 and the user 200 in Fig. 6B; 
Rg. 70 shows functional block diagrams of the user 200 and tiie shop 300 in Rg. 60; 
50 Fig. 7D shows functional block diagrams of ttie bank 100 and the shop 300 in Fig. 6D; 

Fig. 8A is a flowchart showing the procedure for ttie transfer of an electronic coin between users 
200a and 200b in the second embodiment of tiie invention; 

Rg. 8B is a flowchart showing tiie procedure for tiie use of tiie transferred electronic coin between 
the user 200b and the shop 300; 
55 Rg. 80 is a flowchart showing the procedure for the settlement of the transferred electronic coin 

between the bank 100 and the shop 300; 

Rg. 9A shows functional block diagrams of the users 200a and 200b in Fig. SA; 

Fig. 9B shows functional block diagrams of tfie user 200b and ttie shop 300 in Fig. 8B; 
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Fig. 9C shows functional block diagrams of the bank 100 and the shop 300 in Fig. 8C; 

Rg. 10 is a flowchart showing the procedure for the use of an electronic coupon coin between the 
user 200 and the shop 300 in the second embodiment of the invention; 

Rg. 11 shows functional block diagrams of the user 200 and the shop 300 In Rg. 10: 
5 Rg. 12A is a flowchart showing the procedure between the users 200a and 200b for the transfer of 

the electronic coupon coin in the second embodiment of the invention; 

Rg. 12B is a flowchart showing the procedure for the use of the transfenred electronic coupon coin; 

Rg. 13A shows functional block diagrams of the users 200a and 200b in Fig. 12A; and 

Fig. 13B shows functional block diagrams of the user 200b and the shop 300 in Rg, 12B. 

10 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Fig. t illustrates in block form the relationships among a bank, a user and a shop to which the 
electronic cash implementing method of the present invention is applied. In Rg. 1 the bank 100. the users 
75 200 and the shops 300 are interconnected via telecommunication lines, for instance, but they may also be 
connected, for example, via a smart card on which infonmation can be recorded. 



[First Embodiment] 

20 

When receiving from the user 200 a request to issue electronic cash, the bank checks the identity of 
the user 200 and then withdraws from his account an amount of money corresponding to the requested 
electronic cash, or after receiving cash from the user 200 the bank 100 issues a proof of the receipt (signed 
user informatk^n and signed authentication infomnation which form part of information constituting the 
25 electronic cash as described later) IB the user 200 through use of the blind signature scheme. 

When making payment to the shop 300. the user 200 presents the proof to the shop 300 and in 
response to its inquiry presents a response prepared from secret information and random number 
Information used for generating user information and authentication Information, respectively. 

Next, a detailed description will be given of the case where the user 200 using IDp as user identification 
30 information has the bank 100 issue electronic cash. 

In order that the RSA cryptosystem is employed as an example In the blind signature scheme which is 
used in the electronic cash issuance procedure, the bank first determines various required parameters so 
that they satisfy the following conditions: 
n = P X Q 
35 e X d s 1 (mod I) 

where I = LCM{P - 1), (Q - 1)}. 

The bank computes e, d and n. publishes the keys e and n but keeps the key d In secret The face value of 
the electronic cash which the bank issues is fixed, and the public key e con^esponds to the fixed amount of 
money. 

40 In the above LCM(a. b) represents the least common multiple of integers a and b, and P and Q are two 
large different prime numbers. Further, a » b (mod I) represents that a - b is an Integral multiple of I. The 
way of determining such various parameters is described In R.L. Rivest, et al., "A Method for Obtaining 
Digital Signatures and Public-Key Cryptosystems", Communications of the ACM. Vol. 21. No. 2. pp 120- 
126. 1978. for example. 

45 Next, the user 200 generates user information Vi from secret information Si containing his identification 
information IDp intact, by the use of a predetermined first one-way function, and generates authentication 
infonmation Xi from random number information Ri. by the use of a second one-way function. The user 200 
has the bank 100 sign the user information Vi and the authentication information Xi through use of the blind 
signature scheme. The reason for using the blind signature scheme is to protect the privacy of the user 

50 from a conspiracy of the shop 300 and the bank 100. In the present invention it is significant that the secret 
information Si contains the raw identiftcation information lOp. 

The blind signature scheme in the processing between the bank and the user in the following 
description utilizes the RSA cryptosystem (see the aforementioned Rivest. et al. article) as is the case witii 
the blind signature scheme disclosed in U.S. Patent No. 4.759.063 to Chaum. but a blind signature scheme 

55 employing authentication with interactive property (see U.S. Patent Application No. 367,650 filed June 19, 
1989. for example) may also be used. 

Fig. 2A shows the procedure for the user to have the bank issue electronic cash, and Figs. 3 and 4 
show the arrangements of the user 200 and the bank 100. respectively. In tfie following description, i = 1, 
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.... k. 

Step Si : The user generates a random number a; by use of a random generator 21 1 and supplies it to 
signing equipment 212. along with the identification information IDp. The signing equipment 212 is to apply 
a user's signature to the concatenation of the random number ai and the identification information IDp. and 

s its signed output q-, is represented by gi = G(af II IDp), where G is a signature function. The symbol II 
indicates the concatenation; for example. 01110 I1 110 = 01110110. 

Step S2: The output at of the random generator 21 1 and the output gi of the signing equipment 212 are 
input into a concatenator 213 to create the secret information Si. The secret information Si is a 
concatenation of the information IDp. the random number ai and the signature gi as expressed by the 

70 following equation, and hence contains the identification information IDp intact. 
Si = IDp II ai II g, (6) 

Further, two prime numbers Pi and Qi are generated by means of a prime generator 221 and their 
product Ni is obtained by a multiplier 222. 

Step S3: User information given by the following equation, which is a first one-way function, is 
75 computed by a modulo power calculator 223 from a prime number Li, the output Si of the concatenator 213 
and the output Ni of the multiplier 222. 
Vi = Si" mod Ni (7) 

On the other hand, authentication infomiation given by the following equation, which is a second one- 
way function, is computed by a modulo power calculator 225 from secret random information Ri produced 
20 by a random generator 224. the output Ni and the prime number U. 
Xi = Rl"^ mod NI (8) 

Since Li and Ni are used as parameters forming the one-way functions expressed by Eqs. (7) and (8), they 
will hereinafter be refen^ed to as parameter information. 

Step S*: Preprocessing functions for randomizing the user information Vi and the authentication 
25 information Xi with randomizing random numbers n and n' in blind signature preprocessing are one-way^ 
functions, which are generally expressed by Fe as shown below but need not always be of the same form. 
Wi = Fe { n . Vi } (9) 
Zi = Fe { n' . Xi } (10) 

In the embodiment illustrated In Figs. 2A and 3, this preprocessing takes place in the following manner. 
30 Randomized user information expressed by the following equation is computed by a modulo 
multiplication/power calculator 227 from the randomizing random number n from a random generator 226, 
the user information Vi from the modulo power calculator 223 and the public keys e and n. 
NA« = Fe { n , Vi} = r? X Vi mod n (11) 

On the other hand, randomized authentication information expressed by the following equation is 
3S calculated by a modulo multiplication/power calculator 228 from the randomizing random number u 
generated by the random generator 226. the authentication information Xi generated by the modulo power 
calculator 225 and the (public keys e and n. 
Zi = Fe { n' . Xi } = n'^ x Xi mod n (12) 

The user sends the randomized user information W and the randomized authentication information 21 
40 to the bank. 

The random generator 226 and the modulo multiplication/power calculators 227 and 228 constitute a 
blind signature preprocessor 20A. 

Step Ss: Upon receipt of the randomized user information Wi and tiie randomized authentication 
information Zi from the user 200, the bank 100 stores tfiem in memories 101 and 102, respectively (see Fig. 
45 4). 

Next the bank 100 makes the user 100 open k/2 sets of information (Si, Ri. u * 0. L". Ni) to check that 
the user tOO has con^ectiy inserted his identification information IDp in each secret information Si. and then 
verifies, by tfie following procedure, that tfie user 100 has con^ectly performed Steps Si through S4. 

Step Se; The bank 100 decides items ij (where j = 1 k/2) for specifying the k/2 sets of information 

50 (Si, Ri. n. n'. Li, Ni) which the bank 100 demands Hie user 200 to open, and sends the item group U = {ijj 

= 1 k/2} to tfie user 200. The following description will be given on tiie assumption tiiat i = 1 k/2 

are items for unopened information. 

Step S7: Upon receipt of the demand from ttie bank 100. the user 200 sends k/2 sets of information {Si, 
Ri, n. n . Li. Ni} corresponding to tiie respective items i specified by the bank 100. 
55 When an i is the item to be opened, the bank 100 performs procedures of tiie following Steps Ss 
through S10. 

Step Se: When tfie i is the item to be opened, it is checked whetiier tiie IDp has been inserted at a 
predetermined position in Si. and if yes, the following calculations are performed by modulo power 
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calculators 111 and 121 from the information {Si, Ri. Li. Ni} received from the user 200. 
Vi' = Si" mod Ni 
Xi' = Rl" mod Ni 

Step Sg: The following calculations are performed by modulo power calculators 112 and 122 from the 
5 outputs Vi' and Xi' of the modulo multiplication/power calculators 112 and 121. the received information n 
and T't and the public keys e and n. 
Wi' = r?x Vi' modn 
a' = tf X Xi' mod n 

Step Sio: The value Wi stored in the memory 101 and the output Wi' of the modulo power calculator 
10 112 are compared by a comparator 113. The value Zi stored in the memory 102 and the output Zi' of the 
modulo power calculator 122 are also compared by a comparator 123. 

In this way. the bank 100 conducts the above checks for all of the k/2 items i. and if any one of them 
shows disagreement then no further processing will be done. When agreements are obtained for all the i*s. 
then the bank 100 withdraws the amount of money concerned from the user's account or after receiving the 
75 amount of money concerned from the user the bank performs the following procedure for the i which is not 
the item to be opened. 

Step Si 1 : Based on the public key n. the secret key d and the values Wi and Zi stored in the memories 
101 and 102, signed-randomtzed user infonmation ni and signed-randomized authentication information ei 
expressed by the following equations, respectively, are calculated by modulo power calculators 131 and 
20 141 , and the both pieces of information Qi and ei are sent to the user 200. 
Qi = De(Wi) = Wi^ mod n (13) 
ei ^ De(Zi) = Zi^ mod n (14) 

The processing expressed by Eqs, (13) and (14) is the signature applied by the bank 100 to the 
randomized user information Wi and the randomized authentication information Zi, and De is called a 

25 signature function. The modulo power calculators 131 and 141 Constitute signing equipment 10A. 

Step Si 2: Having received the signed-randomized user information ai and the signed-randomized 
authentication information ei from the bank 100, the user 200 performs the following calculations by modulo 
dividers 231 and 232 on the basis of the above-mentioned information Qi and ei received from the bank 
100, the randomizing random numbers n and r{ generated by the random generator 226 and the public key 

30 n. thereby obtaining signed user infonnation Bvi and signed authentication information Bxi which are free 
from the influence of the randomizing random numbers n and 0 and equivalent to those obtained by having 
the t>ank 100 sign directly on the user information Vi and the authentication information Xi. 
BVi = He C ri , ai } =ni/ri mod n (15) 
BXi = He C n' . ei } = ei /rj' mod n (16) 

35 Substituting Eqs. (It) and (13) into Eq. (15) and Eqs. (12) and (14) into Eq. (16), the following equations 
hold. 

BVi = He { n . ai } = ^ '^x Vi'^/n a Vi** mod n = De(Vi) 
BXi = He { n'.ei } = r ^ ^ **x Xi**/ri' ^ Xi** mod n = De(Xi) 

These two equations show that the processing by the user 200 on the signed-randomized user 

40 infqnmation Hi and the signed-randomized authentication information ei by use of the function He provides 
the results De(Vi) and De(Xi) of direct processing by tiie bank 100 on the user information Vi and the 
authentication information Xi by use of the signature function Oe. In other words, the function He removes 
the influence of the randomizing random numbers n and rj from the signed-randomized user information 
and authentication information Qi and ei. The processing for removing the influence of the randomizing 

45 random numbers n and r\ will hereinafter be referred to as tiie blind signature postprocessing and the 
function He as tiie postprocessing function. The modulo dividers 231 and 232 constitute a blind postproces- 
sor 20B. The user 200 uses the set of information {Vi, Bvi. Xi, Bxi} as electronic cash. 

Next, a description will be given of the case where the user 200 pays with electronic cash at the shop 
300. Rg. 2B shows an example of tiie procedure between the user 200 and the shop 300, and Rg. 5 shows 

50 In block form the configuration of the shop 300. 

Step Si 3: The user 200 sends electronic cash {Vi. Bvi. Xi, Bxi) and parameter information {Ni. Li} to 
tiie shop 300. 

Step Si 4: Having received the electronic cash {Vi, Bvi. Xi, Bxi} and the information {Ni. U}, tiie shop 
300 stores them in a memory 301 and at the same time calculates the following verification functions VFe 
55 by modulo power calculators 311 and 312. 
Vi] = VFe{Bvi} = Bvi« mod n 
Xi' = VFe{Bxi} = Bxi® mod n 

Step Sis: The shop 300 checks, by comparators 313 and 312. as to whetiier k/2 calculated results Vi' 
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and Xi' and the corresponding information Vi and Xi received from the user 100 are equaJ to each other (i 

= 1 k/2). By this, it can be determined whether the signature applied to each of the signed user 

information Bvi and the signed authentication information Bxi is true or not 

Step Ste: When the k/2 calculated results are found good» the shop 300 generates k/2 randonn numbers 
5 7i by a random generator 321. stores them in the memory 301 and then transmits an inquiry qi including 
shop identification information IDv. time t and the random number 71 to the user 200. At the same time the 
shop 300 calculates 
Ei = f(qi) - f(l[>v, t. 7f) 

by an f-calculator 322 which calculates a public one-way function f. Hereinafter, it is assumed that an 
10 inequation 0 < B < Li holds. 

Step Si 7: Upon receipt of the inquiry ql = £IDv, t. y^} from the shop 300. the user 200 calculates 
Ei = f(IDv. t, Yi) 
by a public f-calculator 241. 

Step Sib: The user 200 inputs the output Si of the concatenator 213. the output Ni of the multiplier 222. 
IS the output Ri of the random generator 224 and the output Ei of the f-calculator 241 into a modulo 
muItipIicationyjDOwer calculator 242 to calculate a response Yl by the following equation which is a one-way 
function: 

Yi = Ri X Si^ mod Ni (17). 

Then the user 200 transmits the response Yi to the shop 300 (i = 1. .... k/2), 
20 Step Si 9: The shop 300 verifies the validity of the response Yi from the user 200 by caJculating 

Al = Xi X Vi^ mod NI (18) 

with a modulo multiplication/power calculator 331 and 

Ai'= Yi"mod Ni (19) 

with, a modulo power calculator 332. 
25 Step Sao: It is- checked by a cogparatqr 333 whether Ai and Ai' coincide with each other (1 = 1, .... 

k/2). 

The modulo power calculators 311 and 312 and the comparators 313 and 314 constitute verifying 

equipment 30A for verifying the validity of the user information Vi and tiie authentication information XI. The 

f-calculator 322. the modulo multiplication/power calculator 331. the modulo power calculator 332 and the 
30 comparator 333 constitute verifying equipment 30B for verifying the validity of the response Yi. Although in 

the above, processing for all of the i's (i = 1, .... k/2) is perfomned in each of Steps Sie through Sao. it is 

also possible to repeat Steps Sie through Sao for every i. 

Next, a description will be given of the settlement of accounts between the shop 300 and tiie bank 100. 

Rg. 2C shows an example of tiie procedure therefor between the shop 300 and the bank 100. 
35 Step Sz^: The shop 300 presents tiie electronic cash information {Vi. XI. Bvi. Bxi}, tiie parameter 

information {Ni. Li}, the inquiry {IDv, t y\} and the response Yi to tfie bank 100 (i = 1 k/2). 

Step Saa: Having received the above information {NI, Li. Vi, Xi. Bxi, Bvi, IDv, t, 71, Yi} from the shop 

300, tiie bank 100 inputs the public keys e and n into modulo power calculators 151 and 152 to calculate 

the following verification functions VFe: 
40 Vi' = VFe{Bvi} = Bvi« mod n 

Xi' = VFe{Bxi} « Bxi* mod n 

Step Saa: It is checked by comparators 156 and 157 whether the values Vi and Xi are equal to the 

received information Vi and Xi (i = 1. .... k/2). When tiiey are equal, it is determined tiiat the signature 

applied to the information Bvi and Bxi is true. Hence, it is determined tiiat the information Vi and Xi bearing 
45 the signature are also valid. 

Step Sa4: When all of such calculated values are found good, the bank 100 caJculates 

Ei = f(qi) = f(IDv, t, yt) 

by an f-calculator 153, 

Ai = Xi X Vi® mod Ni 
50 by a modulo multiplication/power calculator 154 and 

Ai' = Yi*^ mod Ni 

by a modulo power calculator 155. 

Step Sas: The bank 1(M) checks by a comparator 158 whether tiie values Ai and Ai' coincide with each 

otiier (i = 1 k/2). By tiiis. it can be determined that both Dl and Yi are valid. 

55 Step Sae: The bank 100 stores in a memory 161 the information {Ni, Li. Vi, Xi, Ei. Yi} (i = 1 k/2) 

presented from tiie shop 300 and pays tiie amount of money concerned into the account of the shop 

identification IDv. 

While the above embodiment utilizes the authentication scheme with interactive proof system based on 
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the difficulty of the calculation of higher degree roots, a similar system can also be implemented by such 
authentication scheme with interactive proof system as disclosed in M. Tompa and H. Woil. "Random Self- 
Reducibility and Zero Knowledge Interactive Proofs of Possession of Information". The Proc. of FOCS. 
1987. pp. 472-482. 

5 Incidentally, since the authentication scheme with interactive proof system generally satisfies the 
requirement of soundness property, the identification information IDp of the user will be revealed, if he uses 
the same pair of user information Vi and authentication information Xi twice or more. 

Next a description will be given of the detection of invalid double usage of the electronic cash. 

As described above, when the user 200 uses the electronic cash as a payment to the shop 300, the 

70 latter sends the inquiry qi = {IDv. t 71} to the former. Since the inquiry contains the identification 
information IDv, time t and the random number yu the identification information IDv differs with shops and 
the information t also differs with time even at the same shop. Accordingly, if the user 200 fraudulently uses 
the same electronic cash twice, any one of the contents of the inquiry {IDv. t, y\} provided by the shop in 
response to the second use will naturally differ from the con-esponding piece of Information in the first 

15 inquiry; hence, it can be expected that Ei = f(IDv. t. 71) will also differ. Thus, the corresponding response Yl 
will also differ as seen from Eq. (17). Consequently, if the electronic cash should be used twice, the bank 
would have two different pairs of information (B and Yi) for the same pair of information (Vi and Xi). Now, 
let these pairs of information be represented by (Ei. Yi) and (Ei', Yi'), respectively. Since these pairs of 
information both satisfy Eqs. (18) and (19) in Steps Si 9 and Sao, the following equations hold: 

20 Yi"«Xi • Vi^4mod Ni) (20) 
Yi'^-'sXi • Vi^* (mod Ni)(21) 
From this, the following equation is obtained: 
(fiPfi'f m Vi^-^ (mod Ni) (22) 

Further, since Si" ^ Vi (mod Hi) holds, the following equation is obtained: 
a- (yyri) m V\^-^ (mod Ni) (23) 

Here, since Li is a prime number, Li and B -B are mutually prime, and integers a and 0 which satisfy 

the following equab'on can be calculated by an Euclid's algorithm: 

a X L + /S X (Ei -Ei') = 1 (24) 

Accordingly, it follows that , 
3Q Vi** X (Yi/Yi')^ 3 SI « ^ ^ ^ ^ = ^ ) = Si (mod Ni) (25) 

Thus, the secret information Si can be calculated. Since the secret information Si contains the user 

identification information IDp in the raw form, it is possible to specify the user who used the electronic cash 

fraudulently. 

The above-described double usage detecting procedure is inserted between Steps S25 and S26 in Fig. 
35 2C, for instance. This procedure will be descrit)ed below with reference to Figs. 2D and 4. 

Step Sci: The bank 100 searches the memory 161 for the presence of the same information as the 
received one (Vi, XI). If the same information is not found, the bank 100 proceeds to Step Sas in Fig. 2C, 
and if the same infonmation is found, the bank 100 proceeds to the next step. 

Step Sea: The infonmation (□', Yi') corresponding to the received information (Vi. Xi) is read out of the 
40 memory 161. 

Step Sea: The integers a and which satisfy Eq. (24) are obtained by a Euclid's algorithm calculator 

172. 

Step Sc4: Yi, Yi' and Ni are Input Into a modulo divider 171 to calculate Yi/Yi' mod Ni. and the 
calculated result, a. j8 and Ni are input into a modulo multiplication/power calculator 173, wherein the 
45 aforementioned equation (25) is calculated, thus obtaining the secret information SI. 

Step Scs: The user identification information IDp is extracted from the secret information Si. 
As described above, according to the present invention, the infonmation XI based on the secret 
information Si containing the user identification infonmation IDp in the raw fonm and the information Xi based 
on the random number information Ri are individually subjected to the blind signature preprocessing (Step 
50 S4 in Hg. 2A). This precludes the problem of such two-argument collision-free property of the one-way 
function f(Xi, yO as is needed in the Chaum. et al. scheme. Conversely speaking, the Chaum, et al. 
electronic cash scheme calls for the two-argument collision-free property partly because the same one-way 
function f contains as parameters both of the information X) based on the random number and the 
information yi based on the identification information ID and partly because the information yj Is correlated 
55 by the random number with the identification information ID. that is. the information yi is correlated with the 
infonmation xt. 

Incidentally, as mentioned just above, the pieces of information {VI, Wi} and {Xi. Zi} according to the 
present invention are processed independently of each other, and the pieces of information Qi and ei 
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obtained after the blind signature processing by Eqs. (13) and (14) are also processed independently of 
each other. Moreover, the pieces of signed infonnation Bvi and Bxl obtained after the postprocessing of the 
above pieces of infbnnation by Eqs. (15) and (16) are also processed independently of each other. In other 
words, the information sequences {Vi. Wi. Di. Bvi} and (Xi, Zi. el. Bxi} are processed independently of each 
other until the user obtains the electronic cash after demanding the banl< to issue it. In the process in which 
the user uses the electronic cash as shown in Rg. 2B. the secret information Si and the random information 
Ri are correlated by one function for the first time at the stage of generating the response Yl to the inquiry 
from the shop in Step Si 7. This means that the processing for the information sequence {Vi. Wi, fli. Bvi} 
and the processing for the information sequence {Xi. 2. ei. Bxi} in the process shown in Fig. 2A may be 
e>«cuted at different times and under different situations. This is utilized in a second embodiment of the 
present invention, which will be described below with reference to Rgs. 6A through 6D and 7A through 7D. 



[Second Embodiment] 

In the second embodiment the bank 100 Issues a license to the user 200 once, and each time the user 
200 wants the bank 100 to issue him electronic cash, he has the bank 100 only certify a piece of 
Information containing both the license and the random information, thereby simplifying the procedure for 
the issuance of electronic cash. Eventually, in the procedure for issuing the license an information sequence 
corresponding to Hie afore-mentioned information sequence (Vi. Wi. (li. Bvi} related to the secret 
information Si is successively processed, and in the procedure for issuing electronic cash based on the 
issued license an information sequence coffesponding to the afore-mentioned information sequence {Xi, Zi. 
ei. Bxi} related to the random information Ri is successively processed. In this example the electronic cash 
which is issued in a simplHied form by the simplified procedure will be refen-ed to as an electronic coin C. 

A description will be given first, with reference to Rgs. 6A and 7A..of the case where the user 200 who 
has opened an account with the bank 100 has the latter issue a license. Here. IDp represents identification 
information such as the account number or the like of the user 200. 

The bank 100 creates, as information corresponding to the license, a pair of secret key dA and public 
key Oa which are to be used for the blind signature processing, and makes the key e* public. In the blind 
signature scheme, as described previously, the user 200 who wishes the bank 200 to apply its blind 
signature to a certain message M, randomizes the message with the blind signature preprocessing function 
W = FeA(r, M) using the public key Ba and the randomizing random number r to obtain a randomized 
message W, which is sent to the bank 100. The bank 100 applies its signature to the randomized message 
W by a blind signature processing function fl = DeA(W) using the secret key dA and then sends the signed 
randomized message Q to the user 200. The user 200 removes the influence of the random number r from 
the signed randomized message n with a random number removing function HeA(n) using the random 
number r used for generating the randomized message W. by which the user 200 can obtain a signed 
message DeA(M) bearing the signature of the bank 100 corresponding to the public key eA- Here. Foa for 
randomizing the message M is a blind signature preprocessing function which is a one-way function. Doa is 
a blind signature processing function, and He* for removing the influence of the random number is a blind 
signature postprocessing function. This blind signature scheme can be implemented by employing either of 
the afore-mentioned Chaum's scheme utilizing the RSA cryptosystem and the schemes disclosed in our 
prior U.S. Patent Application No. 367,650 (filed June 19, 1989). 

The user 200 generates infomnation Vi. refen-ed to as user information in this embodiment, from the 
secret information Si containing his identification information IDp as it is. and then he has the bank 100 sign 
the user information Vi through use of the blind signature scheme. The signed user infomnation. i.e. DeA(Vi), 
will be referred to as a license. The reason for using the blind signature scheme is to protect the privacy of 
the user 200 against the conspiracy of ttie shop 300 and the bank 100. 

Now the procedure for the user 200 to have the bank 100 issue the license, shown in Rg. 6A. will be 
described more specifically with reference to Rg. 7A which illustrates functional blocks of the user 200 and 
the bank 100. In the following description, I = 1 k/2. 

Step Si: The user 200 generates a random number at by a random generator 203. which Is input into a 
concatenator 204. along with the user identification information IDp. The concatenated output IDp II ai is 
input into a signature generator 218 to obtain 
gi s Q (IDp fl aj) (26) 

Step S2: The output of the signature generator 1218 is input into the concatenator 204 along with (IDp fl 
ai) to obtain the following secret information: 
Si - lOpnaiHgi (27) 
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The secret information Si is stored in a memory 211. Moreover, k pairs of prime numbers (Pi Qi) are 
produced by a prime number generator 201 and tiie product Ni of the prime numbers Pi and Qi are 
obtained by a multiplier 202 and is stored in the memory 21 1. 

Step S3: A prime number U (a prime number greater than 3. for example) is generated by a prime 
number generator 213 and the following user information 
Vi = Si" mod Ni (28) 

is calculated by a modulo power multiplier 205 from the prime number U. the secret information Si and the 
product Ni. Then the prime number Li and the user information Vi are stored in the memory 21 1. 

Step St: The product Ni. the user information Vi and the prime number U are Input into a concatenator 
I 206. and its output Mi = (NIB Vi || Li) and the public key for the generation of the license are input into a 
blind signature preprocessor 207 to obtain the following randomized user information- 
Wl a FeA {ri . Mi) (29) 

The randomized user information Wi thus obtained is sent to the bank 100. The blind signature preproces- 
sing function Foa may be the same as that given by Eq. (1) of the Chaum's scheme utifizing the RSA 
cryptosystem or the function proposed in our prior U.S. Patent Application No. 387.850 (filed June 19 
1989). ^ 

Next, the bank 100 makes the user 200 disclose the k/2 sets of information {Si. Li Pi Qi r } after 
which the bank 100 follows the following procedure to verify that the user 200 has correctly inserted his 
Identification infbmiation IDp in each secret information Si and has correctly executed Steps Si through S4. 

Step Ss: The bank 100 selects, by a random selector 101. k/Z different items ij at random from k items 
1. and sends to the user 200 the set of items ij as a disclosure demand U = {1^ | j = 1 , k/2} For the sake 

of brevity, let it be assumed that the bank 100 has selected i = k/2 + 1. k/2+2 k a^ the ij. Accordingly i 

= 1 W2 are not the items of disclosure. 

Step Ss: Upon receipt of the disclosure demand U from the bank 100. the user 200 discloses by a 
disclosure control 208.4he k/2 seta of informatiofl.{Si. Li. Pi. Qi. r,} specified by the bank 100. Here, r- is the 
random number used in the blind signature preprocessing function Fe* for the randomized user information 
Wi. 

Step S7: When i is the item of disclosure, that is. when k/2+ 1 S i S k. the bank 100 checks whether the 
IDp has been inserted at a predetennined position in Si. and if yes. obtains, by a multiplier 102. the product 
Ni = Pi X Qi from the information {Si. U. Pi. Qi. n} and then calculates the following user Information Vi by 
a modulo power calculator 105: 
Vi = Si" mod Ni (30) 

Step Ss: The following value Wi' is calculated by a concatenator 104 and a blind signature preproces- 
sor 107 from the outout Vi of the modulo power calculator 105. the received random number r, and the 
public key Oa. 

Wi' = Foa {r,' (Ni II Vi B Li)} 

Step Sj: The value of the received randomized user infbmnatlon Wi and the value Wi' are compared by 
a comparator 106. If they coincide, the user's demand is accepted, and if not. the user's demand is not 
accepted and no further processing takes place. 

In this way. the bank 100 makes the above comparison for all of the k/2 items i and. when any one of 
comparison resulte shows disagreement, discontinue further processing. When all of the W2 comparison 
results are found good, the bank 100 performs the following signing procedure for the items i which are not 
the objects of disclosure (1 = 1. .... k/2). 

Step Sto: The randomized user infomr>ation WJ and the secret key dA for the blind signature of the bank 
100 are input into a blind signature generator 108 to obtain signed-randomized user information fli defined 
by the following equation: 
Hi = Doa (Wi) (31) 

The signed-randomized user Information Qi thus obtained is sent to the user 200. The function Doa is a 
signature funcHon of the bank 100 and may be the same as that given by Eq. (2) in the Chaum's scheme 
utilizing the RSA cryptosystem. for instance. 

Step Si,: Having received the signed-randomized user information ni from the bank 100. the user 200 
calculates the following equation (32) by a blind signature postprocessor 209 from the signed-randomized 
user information QI, the random number r, used in the blind signature preprocessing (Step S*) and the 
public key OA. thereby removing the influence of the random number r, from the signed-randomized user 
information fli. 
Bi = HeA(r, . 01) (32) 

The function H&„ may be the same as that given by Eq. (3) of Chaum. The signed user information Bi thus 
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obtained by Eq. (32) satisfies the following equation (33) as is the case with Eq. (5) of Chaum. 
Bi = Dba (mi) (33) 

Accordingly, the signed user information Bi obtained by Eq. (32) Is equivalent to information obtained in 
such a manner that the message Mi = (Ml 1 Vi II LI) containing the user information Vi has been signed 

5 directly by the bank 1 00 using the secret key dA comesponding to the public key Ba* The user 200 can use 
the thus obtained signed user information BI as a license of the electronic coin as many times as he wishes. 

In the above, the blind signature Qi is obtained for each of the k/2 pieces of randomized user 
information Wi in Step Sio and k/2 pieces of signed user Information BI are obtained in Step Sn, but it is 
also possible to perform processing for signing messages M\ Mk/2 collectively as described below. 

w Step Sio : For multiplex-randomized user infomnation obtained by multiplexing all pieces of randomized 
user information Wi of W2 Items i which are not the objects of disclosure, the banl< 100 calculates one blind 
signature, i.e. signed-randomized user information, Q by the following equation (31) and sends It to the user 
200. 

Q = DOa (Wi,.... Wwa) (3l') 
15 Step Si/: Based on the blind signature Q received from the bank 100, the random number r\ and the 
public key oa. the user 200 calculates the following equation (32') by the blind postprocessor 209, obtaining 
a single piece of signed user information B. 
B = HeA(ri r^a . Q) (32') 

The signed user information B thus obtained satisfies the following equation: 
20 B = DeA(Mi .... Mk/2 ) (33') 

The functions Doa and Hca by which Eqs. (31), (32') and (33 ) hold can be implemented by, for 
instance, modifying the aforeHfnentioned Eqs. (1). (2) and (3) in the Chaum's blind signature scheme using 
the RSA cryptosystem. respectively, as follows: 

Wi = FeA (Mi)» ri X Mi mod n CI J 

a - Dca (W, , W ic/z ) = (11^ Wi)^" nod n • — (2') 

30 



HeA (r, . r vyz.Cl )=n/.n n mod n • • • (3') 

X = 1 



as 



40 



By detenmining the functions as mentioned above, the following equation holds: 



= DeA (W. . - , WK/z)/n^ n = (n^ Wi) /n^ ri 



45 



eA* dA 

^ n'(Wi /ri)sn (ri -Mi) /ri=n(- 



XMi ) 



50 



s Mi***^ mod n =» DeA(Mi , — . Mk/j) 



55 In the folbwing description, equations in the case where the license is composed of one piece of 
information B produced by the collective signature procedure as mentioned above, will each be referred to 
by a conresponding reference numeral added with a prime, but procedures and functional blocks are shown 
only in connection with the case of using a license composed of k/2 pieces of information Bi. 
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Next, a description will be given of the procedure for the user 200 to have the bank 200 issue the 
electronic coin. -In this procedure the user 200 creates the authentication information Xi based on the 
random information Ri. concatenates thereto the license Bi and uses it as the electronic coin after having it 
signed by the bank 100. Also in this instance, the blind signature scheme is used. At first, the bank 100 
5 generates a pair of secret key dA' and public key eA^ to be used for the blind signature, as infomnation 
corresponding to the face value of the electronic coin, and makes the key public. Fig. 6B shows an 
example of the procedure to be taken in this case between the bank 100 and the user 200. Fig. 7B shows 
block diagrams of the user 200 and the bank 100. The following description will be made on the assumption 
that i = 1 k/2. 

10 Step Si 2: Based on random infbnnation Ri produced by a random generator 214 and parameter 
information Ni and Li read out from the memory 211, the user 200 calculates by a modulo power calculator 
215 the following authentication information: 
Xi = Ri" mod Ni (34) 

and stores the authentication Xi and the random information Ri in the memory 211. 
IS Step St 3: For all of I = 1 k^2, the authentication Information Xi and the license Bi read out of the 

memory are concatenated together by a concatenator 216. and its output 

m = Xi If'llXwallB, II--- llBwe (35) 

or in the case of using the one ^iece license B, 

m = X, II llXwallB {35') 
20 is input into a blind signature preprocessor 217, along with the public key eA' conresponding to the face 

value of the electronic coin and a random number Tp, thereby calculating randomized authentication 

information given by the following equation: 

Z = FeA'(rp, m) (36) 

The randomized authentication information thus obtained and information on the face value of the electronic 
25 coin are sent to the bank 100. < » 

Step Si*: Having received the randomized authentication information Z. the bank 100 inputs it and the 
secret key dA' corresponding to the face value of the electronic coin into a blind signature generator 109. 
from which the following signed-randomized authentication information Is produced: 
e = DeA'(Z) (37) 

30 The bank 100 sends the signed randomized authentication infomnation 9 to the user 200 and, at the same 

time, withdraws tiie conresponding amount of money from the account of the user 200 or receives payment 

of the amount of money concemed from the user 200. 

Step Si 5: Having received tiie signed randomized authentication information 9 from the bank 100, the 

user 200 inputs the randomizing random number rp used in the blind signature preprocessor 217. the 
35 information 9 received from the bank 100 and the public key Ba into a blind signature postprocessor 219. 

by which the following equation 

C = HeA'{rp. 9) (38) 

which is stored in tiie memory 21 1. the result of calculation of Eq. (38) satisfies the following equation 

HeA'(rp. 9) = DeA'(m) (39) 
40 That is. the electronic coin C is equivalent to information obtained by applying the signature of the bank 

directiy to ttie infomnation m. 

Next a description will be given of tiie case where tiie user 200 pays with the electronic coin C to the 

shop 300. Rg. 6C shows an example of the procedure to be performed between tiie user 200 and the shop 

300 and Rg. 7C shows block diagrams of tiie shop 300 and the user 200. The following description will be 
46 given on the assumption that i = 1. .... k/2. 

Step Sig: The user 200 transmits to the shop 300 tiie electronic coin C. the license Bi. the user 

information Vi, tiie autiientication information Vi and tiie parameter information Ni, LI read out of the 

memory 211. 

Step Si 7: The shop 300 verifies tiie validity of the signature of the bank 100 applied to tiie message Mi 
50 = (Ni 0 Vi [| Li) in the license BI by digital signature verification equipment 319A tiirough use of tiie public 
key Oa and the validity of the signature of the bank 100 applied to m = (Xi II - - • 0 Xk^ 0 Bi II - - • II Bk«) in 
the electronic coin C by digital signature verification equipment 31 9B through use of the public key . 
This is done by calculation or checking whether the following verification equations hold or not. If the 
signature of the bank 100 Is not found to be valid, tiien no further processing will be performed. 
55 (NI II VI D U) = VFeA {31} = Bi«A mod n (40) 

pCi D ••- flXwz D Bt D ---11 Bwa) = VFe/ {C} = C«a^ mod n (41) 
or 
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n' Mi=VFeA {B} =B^*«od n • ' ' * UO') 



.{ Xt II • • • 11 X we II B ) =VFeA' {C} = C»a. mod n (41 ') 

Step Sis: The shop 300 sends an inquiry qi including time t available from a timer 321, a random value 
number y\ extracted from a random generator 303 and identification information IDv of the shop 300 to the 
user 200 and demands a predetermined response based on these pieces of information. At the same time, 
70 the shop 300 calculates 

B = f(gO = f(IDV.t.7i) (42) 

by a one-way function calculator 322, using the above pieces of information. 

Step Si a: The user 200 inputs the received identification information IDv. time t and random number 
value 71 into a one-way function calculator 221 , by which the same calculation f(IDv. t, yi) as mentioned 
75 above is performed. Its output value Ei and information Si and Ni read out of the memory 21 1 are used to 
calculate yi = si^' mod Ni by a modulo power multiplier 222. Its output value yt and the infomnation Ri and 
Ni read out of the memory 21 1 are used to calculate Yi = y, x Ri mod Ni by a modulo multiplier 223. 
obtaining 

Yi = Ri • Si^ mod Ni (43) 

20 The user 200 sends- this Yi as a response to the shop 300. 

Step Sao: The shop 300 calculates yi = Vi^ mod Ni by a modulo power multiplier 304 from the output 
value Ei and the information Ni and Vi previously received from the user 200. Further, a modulo 
multiplication of its result yi and Xi mod Ni is performed by a modulo multiplier 313 to obtain Xi x Vi^' mod 
Ni. On the other hand, the received Yi and information Li and Ni are input into a modulo power multiplier 

25 305 to calculate Yi" nQpd Ni, and its result and the output of the modulo multiplier 313 are input Into a 
comparator 306 to check whether the following equation holds or not. 
Yi" a Xi • Vi^ (mod Ni) (44) 

If this equation holds, the shop 300 receives the electronic coin C as a valid one. 

Now. a description will be given of the settlement of accounts between the shop 300 and the bank 100. 
30 Fig- 6D shows an example of the procedure to be performed between the shop 300 and the banl< 100. Fig. 
70 shows block diagrams of the bank 100 and the shop 300. 

Step S21: The shop presents the information {Ni, Li. Vi. Xi. Bi. Yi. C, IDv, t. yi} (» = 1. k/2) in the 
memory 311 to the bank 100 and receives a payment of the amount of money concerned. 

Step S22: Upon receipt of the information from the shop 300. the bank 100 verifies the validity of the 
55 signature of the bank 10 applied to the information IVIi = (Ni 1 Vi II Li) in the license Bi by digital signature 
verification equipment 119A through use of the public key ca and th© validity of tiie signature of the bank 
applied to m = (Xi 1 0 Xjc/a II Bi 1! 0 Biu2) in the electronic coin C by digital signature verification 
equipment 1198 through use of the public key Oa'. This verification is done by checking whetiier Eqs. (40) 
and (41) hold or not. In the case of using the one-piece license B. Eqs. (40') and (41 ') are employed. Only 
40 when the validity of the signatures applied to the above-said infonmation is confimied. the bank 100 proceed 
to the next step. 

Step S23: The pieces of information IDv, t and yi in the inquiry qi received from the shop 300 are 
provided to a one-way function calculator 112 to obtain its output value B = f(IDv, t 71). Yi" mod Ni is 
calculated by a modulo power multiplier 113 from the pieces of information Yi. Ni. and Li. Vi^ mod Ni is 
45 calculated by a modulo power multiplier 1 14 from the pieces of information Ei. Vi, and Ni. Moreover, Xi*Vi^ 
mod Ni is calculated by a modulo multiplier 115 from the output of the modulo multiplier 114 and tiie 
pieces of information NI and Xi. Then tiie outputs of the modulo power multiplier 113 and the modulo 
multiplier 115 are input into a comparator 116 to check whether the following equation holds or not 
Yi"aXi-Vi^ mod NI) 

so Step Sz^: When ttie information received from the shop 300 is found good as a result of tiie above 
verification, the bank 100 stores the information {Ni, Li, Vi. Xi, Bi, Yi, C, IDv, t 71} (' = L a 
memory 111 and pays the amount of money concerned into the account (IDv) of the shop 300. 

Altiiough the above embodiment has been described with respect of the system utilizing the autiientica- 
tion scheme wttii the interactive proof system based on the difficulty of the calculation of higher degree 
55 roots (Japanese Pat Appln. No. 38391/68), a similar system can be implemented as well by use of other 
authentication schemes with the interactive proof system. 

Incidentally, since the authentication scheme with the interactive proof property satisfies the require- 
ment of soundness property (the property that when two correct Yi are obtained for the same pair of user 
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information Vi and authentication infomiation Xi. tiie secret information Si corresponding to the infonmation 
Vi can be calculated), the identification information IDp of the user will be revealed, if he uses the same 
electronic coin twice or more. In other words, if the user uses the electronic coin twice fraudulently, two 
pairs of infonmation (Ei, Yi) and (Ei'. Yi ) which satisfy the verification equation (44) are obtained for the 
5 same pair of information Vi and Xt as in the case described previously in the first embodiment with 
reference to Fig, 2D. Consequently, the following equation holds: 
(Yi/Yi')" 3 Vi^*® mod Ni) 
from which the, following equation is obtained. 
{Yi/Yf') 5 Si^-® (mod Ni) 

10 On the other hand, Si^ = Vi mod NI holds. Here, Li is a prime number and this Li and B-Ei' are mutually 
prime, so that the secret infonmation Si can be calculated. Since the secret information Si contains the 
identification information IDp of the user 200 in the raw form, it is possible to specify the user who used the 
electronic coin fraudulently. 

As described above in detail, the second embodiment also possesses the features of (a) protecting the 

/5 privacy of the user and (b) detecting double usage of the electronic coin as is the case with the first 
embodiment Since the blind signature scheme is utilized for the feature (a), it is possible to maintain the 
privacy of the user such as his propensity to consume. For the feature (b). when the electronic coin is used 
twice or more, the secret information used for creating the license is revealed owing to the property of the 
authentication scheme with the interactive proof property. 

20 Incidentally, the issuance of tiie license involves the procedure in which the user sends k pieces of 
information Wi to the bank and the bank selects k/2 pieces of the information and makes the user 
disclose k/2 sets of parameters used for generation of tiie selected k/2 pieces of information Wi. This 
imposes a large burden on the processing. In the present invention, however, tiiis procedure is required 
only when the user opens his account at the bank. In contrast thereto, the frequency of tiie process for 

25 * issuing the electronic coin is considered to be relatively high, but its processing basically involves only one " 
blind signature generating procedure, and hence tiie burden of this procedure is small. In tiie first 
embodiment however, since the license and tiie electronic coin are integrated into electronic cash, it Is 
necessary, for each issuance of the electronic cash, to perform the procedure in which the user sends k 
pairs of infonnation (WI, Zi) to the bank and the bank selects k/2 pairs from them and makes the user 

30 disclose the corresponding parameters. The burden of this procedure is large. 

As described above, according to tiie second embodiment tiie electronic coin C can easily be issued at 

any time using the license Bl (i = 1 k/2) or B issued in advance by the bank. The electronic coin 

according to the scheme of the present invention in which the license and the electronic coin are issued 
separately can be used more convenientiy in several manners. Rrst, the electronic coin can be transferred 

35 to otiier users; second, the same electronic coin can be used many times: third, tiie electronic coin can be 
transferred to other users and used many times. A description will be given of the electronic coin which 
possesses these functions in the second embodiment 

40 [Transfer of tiie Electronic Coin] 

The following description will be made in connection witii tiie case where a first user 200a transfers to a 
second user 200b ttie electronic coin C issued following tiie procedure shown in Fig. 68. Assume, in tills 
case, that tiie user 200b also has the license obtained from the bank 100 by the same procedure as is the 

45 case witii tiie user 200a. Rg. 8A shows an example of tiie procedure between tiie users 200a and 200b. 

Fig, 9A illustrates tiieir block diagrams. In the following. 1 = 1,2 k/2. and variables with " " on symbols 

are all related to the second user 200b who is the transferee. The meaning of each variable is the same as 
that defined previously, unless specified othenvise. 

Step Si: The first user 200a transmits to the second user 200b the license Bl or B, the electronic coin 

50 C, the user information VI. the authentication information Xi and the parameter information Ni and Li read 
out of the memory 21 1 . 

Step S2: The second user 200b verifies the validity of tiie signature of the bank applied to the message 
Mi ^ (Ni Q Vi fl Li) in the license Bl by digital signature verification equipment 51 9A on the basis of the 
public key Qa and tiie validity of tiie signature of tiie bank applied to m = (Xi [| * * * 0 Xu/z D Bi [| * * * B^/z) 
ss in the electronic coin C by digital signature verification equipment 519B on tiie basis of the public key Oa • 
This verification is performed by checking whetiier or not tiie following verification equations (45) and (46) 
hold, by calculation. In tiie case of tiie one-piece license B, tiie verification is effected using the following 
equations (45*) and (46'). If the signatures of the bank are found invalid, ttien no furttier processing will take 
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place. 

(Ni (I Vi II Li) = VF0A {Bi} = Bi^A mod n (45) 

(Xi II ••• llXw2 II B, II ••• fl = VFga' {C} =C*a, mod n (46) 



Mi-VFeA {B}'=B *raod n • . . . (45*) 



Xi II • • • II Xwa II B) = VFga' (C} =C«a, mod n (48') 

Step Ss: To make sure that the received user information Vi and the authentication information Xi 
belong to the user 200a who is the transferor, the user 200b sends to the user 200a. as an inquiry, a value 
€} available from a random generator 503. 
75 Step S4: The user 200a caicuiates Sf^ mod Ni by a modulo power calculator 222 on the basis of the 
received value ei and the information Si and Ni of his own read out of the memory 211, and calculates 
Yi = Ri'Si^i mod Ni 

by a modulo multiplier 223 on the basis of the output of the moduto power calculator 222 and the 
information 1^ and Ni read out of the memory 211. Then the user 200a sends the value Yi as a response to 
20 the user 200b. 

Step Ss: The user 200b inputs the value €i and the received information Vi and Ni into a modulo power 
multiplier 504 to calculate 
Vi^f mod Ni 

and inputs the calculated value, the received authentication information Xi and received Ni into a modulo 
25 multiplier 513 to calculate 
Xi'V«i modNi. 

On the other hand, the received pieces of information Yi, Li and Ni are input into a modulo power multiplier 
505 to calculate 
Yi" mod Ni 

30 and the calculated value and the output of the modulo multiplier 513 are provided to a comparator 506 to 

check them for coincidence. If they coincide, the user information Vi and the authentication information Xi 

are determined to be valid. 

Step Sg: The user 200b who is the transferee sends his license §1 §)</2 (or B) to the user 200a to 

have the transferor 200a sign the licenses. 
35 Step Sz: The transferor 200a signs the received license §1 Bic/2 (or §) by signing equipment 233 

which calculates a digital signature function of the following equation (47) or {47), for example, and then 

returns to the user 200b the signed license as a deed of transfer T. 

T= (Bt O-** II Bk«)''^ modNi (47) 

T = B^'3 (47') 

40 In the above. Ni assumes a value for predetermined item i in the range of 1 ^ i ^ k/2. 

Step Ss: The user 200b inputs the public key Ni of the user 200a and the received deed of transfer T 

into digital signature verification equipment 51 9C to verify the validity of the deed of transfer T by checking 

whether the following equation holds or not. In this instance. Ni is a vaJue for the above-mentioned 

predetermined item i. 
45 (Bi I II Bwa) = T^modNi (48) 

B = T3 mod NI (48') 

When the validity of the signature of the user 200a is found good, the user 200b receives the electronic 
coin C as a valid one. 

Next, a description will be given of the case where the user 200b makes payment to the shop 300 with 
50 the electronic coin C transferred from the user 200a. Rg. 8B shows an example of the procedure between 
the user 200b and the shop 300. Fig. 9B shows their block diagrams. In the following, i = 1 k/2. 

Step Sg: The user 200b transmits to the shop 300 the received^ infomiation group {Ni, Li. Vi. Xi. Bi. Yi, 
C, T} read out of the memory 511 and an information group {Ni. Li. Vi. Bi. ei} of his own also read out of 
the memory 511. 

55 Step S10: The shop 300 verifies the validity of the signature of the bank 100 applied to (Ni II Vi II Li) in 
the license Bi of the user 200a by digital signature verification equipment 31 9A using the public key Oa and 
the validity of tiie signature of the bank 100 applied to p<i II • • • II X^a fl Bt D • * • D Bk/a) in the electronic 
coin C by digital signature verification equipment 31 9B using the public key eA . This verification is 
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performed using the afore-mentioned Eqs. (45) and (46). In the case of using the one-piece license B, Eqs. 
(45 ) and (48') are used. Further, the shop 300 verifies the validity of the signature of the user 200a applied 
to (Bi II • II ik/a) in the deed of transfer T, by digital signature verification equipnnent 31 9C following the 
afore-mentioned equation (48). In the case of using the one-piece license B, Eq. (48') is employed. 

5 Step Sn: IWoreover, the shop 300 inputs the received pieces of information ei. Vi and Ni into a modulo 
power calculator 314 to calculate Vi^» mod NI and inputs the calculated output and the received pieces of 
information Xi and Ni into a modulo multiplier 313 to calculate Xi*VI^' mod Ni. On the other hand, the 
received pieces of information Yl, Ni and Li are provided to a modulo power calculator 315 to calculate Yi*^ 
mod Ni and then the calculated output and the output of the modulo multiplier 313 are input Into a 

10 comparator 318 to check whether the following equation holds or not. 
Yi'-^aXi • (modNi) (49) 

If this equation holds, then it is determined that the received pieces of information Vi and Xi are those of the 
user 200a. 

Step St2: Furthermore, the shop 300 verifies the validity of the signature'of the bank 100 applied to M'l 
15 = (f3i II Vi II Li) in the license Bi of the user 200b who is the transferee. This verification is carried out by 
digital signature verification equipment 31 9D using the public key eA, in accordance with the following 
equation (50) similar to the afore-mentioned equation (45). In the case of using the one-piece license B, the 
following equation (50') is employed. 
(Ni II 9i II D) = VFoa {Bi} = Bf a mod n (50) 

20 



n Mi =V FeA {B} = B mod n . - • • • (50 ) 

i* t 

25 - 

When the signature of the bank 100 is found invalid, the processing Is discontinued. 

Step St 3: To identify the user infonmation Vi of the user 200b who is the transferee, the shop 300 sends 

to the user 200b, as an inquiry qi, time t available from a timer 321. a value yi from a random generator 303 
30 and the identification information IDv of tiie shop 300. At the same time, these pieces of information IDv, t 

and 7} are provided to a one-way function calculator 322 to calculate Ei = f(qi) = f(IDv, t. 7:). 

Step Si*: The user 200b inputs the received pieces of infonnation IDv. t and yi into a one-way function 

calculator 522. Its output value Ei = f([Dv. t yd and pieces of information Si and Ni of the user 200b are 

provided to a modulo power calculator 523 to calculate Si^ mod Ni. Further, the calculated result and 
35 pieces of infomnation % and Ni read out of the memory 51 1 are input into a modulo multiplier 524 to obtain 

Yi = *i • S mod Ni (51) 

The value Yi thus obtained is transmitted as a response to the shop 300. 

Incidentally, % Is a value which satisfies the relation of the following equation (52), and it is calculated 
after tine transfer of the electronic coin C from tiie user 200a and is stored in the memory 51 1. 
40 5i = Xi ' mod Ni (52) 

Here, 1/U is an inverse element as an exponent component 0 in mod Ni and satisfies the following 
equation: 

(1/L)i Li « 1 mod LCM {Pi - 1) . (Qi - 1) } (53) 

The value 1/Li is calculated by an inverse calculation from Pi, Qi and D. 

45 Step Sis: The shop 300 inputs the output value Ei of the one-way function calculator 322 and the 
received pieces of information Vi and Ni into a modulo power calculator 304 to calculate Vi^' mod Ni and 
inputs tiie calculated result and the pieces of infomnation Xi and f^I into a modulo multiplier 313 to obtain 
Xi*9i^ mod Ni. On the otiier hand, the received response Yi and tiie pieces of infomnation Ni and Li are 
applied to a modulo power calculator 305 to calculate Yi ' mod Ni, and tiie calculated result and the output 

50 of the modulo multiplier 313 are input into a comparator 306 to check whether tiie following equation holds 
or not. 

?i ' HI Xi • 9l° (mod Ni) (54) 

When the response ?i is found valid, tiie shop 300 determines that the response YI belongs to the user 
200b who is the transferee, and receives the electronic coin C as a valid one^ 
55 As described above, in step Si^ the user 200b produces tiie response Yi of Eq. (45) using given by 
Eq. (52), which is a function of Xi, instead of using tine random information Ri of the user 200b himself, and 
consequentiy. the authentication information Xi of tiie user 200a can be employed for tiie calculation of the 
verification equation (54) in Step Sis which is performed by ttie shop 300. In otiier words, tiie user 200b 
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who uses the transferred electronic coin needs not to present his authentication infornnation Xi to the shop 
300. 

Next, a description will be given of the settlennent of accounts between the shop 300 and the bank 100. 
Fig. 8C shows an example of the procedure between the shop 300 and the bank 100. Fig. 9C illustrates 
s their block diagrams. 

Step Sie: The shop presents to the bank 100 an infonnation group concerning the user 200a» {Ni, Li, 
Vi, Xi, Bl, Yi, C, T}, an information group concerning the user 200b and the shop 300. {Ni, Li, Vi, Bi, Yi, €u 
\Dv, t, 7i}, read out of the memory 31 1 (i = 1. .... k/2). 

Step Si 7: The bank 100 verifies the validity of the signature of the bank applied to (Ni II Vi II Li) in the 

10 license Bi of the user 200a by digital signature verification equipment 119A using the public key Oa and the 
validity of the signature of the bank applied to (Xi II ... II Xic^ II 61 II ... II Bic^) in the electronic coin C by 
digital signature verification equipment 119B using the public key Oa . This verification is performed 
following the afore-mentioned Eqs. (45) and (46). Moreover, the bank 100 verifies the validity of the 
signature of the user 200a applied to (§1 1 ... II Bk^) in the deed of transfer T by digital signature verification 

15 equipment 119C. following the afore-mentioned equation (48). In the case of using the one-piece license B. 
the verification is performed using Eqs. (45 ). (46 ) and (48'). 

Step Sis: The pieces of information €i. Vi and NI are input into a modulo power calculator 117 to 
calculate Vi^ i mod Ni. and the calculated result and the pieces of information Ni and Xi are provided to a 
modulo multiplier 118 to calculate Xi'Vi^i mod NL On the other hand, the pieces of information Yi, NI and 

20 Li are input into a modulo power calculator 103 to calculate Yi^ mod Ni, and the calculated result and the 
output of the modulo multiplier 118 are applied to a comparator 106 to check whether or not the following 
equation identical with the afore-mentioned equation (49) holds. 
Yi^aXi'Vi^i (modNi) 

When this equation holds, it is detenmined that the pieces of information Vi and Xi are those of the 
25 transferor 200a. 

Step Si 9: The validity of the signature of the bank 100 applied to (Ni II 9i II U in ti^e license Bi of the 
transferee 200b is verified by digital signature verification equipment 11 90 using the public key Ba- For this 
verification the same equation as Eq. (50) is used. In the case of using the one-piece license B. Eq. (50 ) is 
used. Further, the pieces of information IDv, t. 71 of the inquiry qi are input into a one-way function 

30 calculator 112 to calculate Ei = f(IDv, t. 71). The output of the one-way function calculator 112 and the 
pieces of information Vi and Ni are provided to a modulo power calculator 114 to calculate Vl^' mod NI, and 
the output of the modulo power calculator 114 and the pieces of information Xi and Ni are input into a 
modulo multiplier 115 to obtain Xi'Vi ^ mod Ni. On the other hand, the pieces of Information Yi. Ni and D 
are input into a modulo power calculator 1 13 to calculate Yi ^* mod Ni. The outputs of the modulo multiplier 

05 115 and the modulo power calculator 1 13 are applied to a comparator 116, wherein it is checked whether or 
not the following equation which is identical with Eq. (54) holds. 
YitiaXi'V® (mod Ni) 

When this equation holds, It is detemnined that tiie information Vi is the information of the transferee 200b. 
Step S20: When the foregoing verifications are passed, the bank 100 stores tiie information group of the 

40 user 200a, {Ni, U, Vi, Xi, Bi, Yi, C, T}, and the information group concerning tiie user 200b and the shop 

300. {fii. D. 9i, Bi. Yi, IDv, t, yl}, (1 = 1 k/2) in tiie memory 111 and pays tiie amount of money 

concerned into the account IDv of the shop 300. 

If the user 200a who has transferred tiie electronic coin as described above uses it twice fraudulentiy, 
then two identical pairs of infornnation (Vi, Xi) exist as described previously, and consequently the double 

45 usage of the electronic coin is detected by the bank 100 in the procedure shown in Fig. 20 and the user 
200a is identified. On tiie otiier hand, in the case of detecting double usage of the transferred electronic 
coin by the transferee 200b, the bank 100 needs only to make a check as to whether or not a pair of 
information of the same value as the received pair of information (9i, Xi) is present in the memory 111. If 
\he pair of information (9i, Xi) of the same value is found, the secret information Si of tiie user 200b can be 

50 calculated by the following equation, using the pieces of information ?i. Li and Ri corresponding to tiie 
stored pair of information in tiie procedure shown in Rg. 2D. 
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[Repetitive Use of the Electronic Coin] 

Now, a descrfption will be given of a method by which the user 200 repetitively uses the electronic coin 
obtained by the procedure of Fig. 6B in the second embodiment The following will describe the procedure 

5 for the j-th use of the electronic coin which the user 200 is allowed to use K times (j S K). This is applicable 
ta either of the cases of transfer to another user 200 and payment to the shop 300, but the procedure will 
be described in connection with the case of payment to the shop 300. Fig. 10 shows an example of the 
procedure to be performed between the user 200 and the shop 300, and Fig. 1 1 illustrates them in block 
form. In the following, i = 1, lc/2. 

70 Step Si: The user 200 transmits an information group {Ni. Li, Vi, Bi, Xi, C}, read out of the memory 
211. to the shop 300. 

Step 82: The shop 300 verifies the validity of the signature of the bank 100 applied to (Ni 11 VI II Li) in 
the license Bl of the user 200a by digital signature verification equipment 31 9A using the public key Oa and 
the validity of the signature of the bank applied to (Xi II ... II Xk/2 0 Bi II ... II 8^2) in the electronic coin C by 
15 digital signature verification equipment 31 9B using the public key eA*. This verification is^ performed 
following Eqs. (40) and (41). In the case of using the one-piece license B. Eqs. {40') and (41') are used. 
When the signatures of the bank 100 are not valid, the procedure is discontinued. 

Step S3: The shop 300 sends to the user 200. as an inquiry qi. time t available from a timer 321. a 
random value yi from a random generator 303 and the identification information IDv of the shop 300. At the 
20 same time these pieces of information are applied to a one-way function calculator 322 to calculate Ei = f- 
(qi) = f(IDv. t 7i). 

Step S*: The user 200 applies the received pieces of information IDv, t and yi to a one-way function 
calculator 221, and provides its output value Ei => f(IDv, t, y\) and pieces of information Si and Ni, read out 
of the memory 211, to a modulo power calculator 222. wherein Si^' mod Ni is calculated. The output of the 
25 modulo power calculator 222, the information Ni and information *r^*described later are inpot into a modulo 
multiplier 223 to obtain 
Yi a % • Si^ mod Ni (55) 

Then the user 200 transmits Yi and j as a response to the inquiry qi. Here. is a value which satisfies 
the following relation, and rt is precalculated by a modulo power calculator 253 and may be stored in the 
30 memory. 

%<i> 3 f| QQy^ mod Ni (56) 

where l/U is an inverse element Li as an exponent component in mod Ni. which satisfies the following 
equation: 

(1/Li) X U a 1 mod LCM {(Pi - 1) . (Qi - 1)} (57) 
35 The pieces of information Pi. Qi and Li are read out of the memory 211 and applied to an inverse element 
calculator 252 to calculate the value I/Li. The function fj(Xi) of Xi Is a one-way function which uses, as a 
parameter, j and is implemented by a one-way function calculator 251, in such a form as shown below. 
Here, assume that f is a suitable one-way function. 
fi(X) = f(XOj) (58) 

40 Step S5: The shop 300 Inputs the received j and Xi, read out of the memory 311. into a one-way 
function calculator 350 to calculate a function ifid) similar to that given by Eq. (58) using the j as a 
parameter. The output value Ei of the one-way function calculator 322 and the received pieces of 
information Vi and Ni are applied to a modulo power calculator 304 to calculate Vi^' mod Ni. and the output 
of the one-way function calculator 350, the output of the modulo power calculator 304 and the Information 

45 Ni are input into a modulo multiplier 313 to obtain fjP(i)*Vi^' mod Ni. Moreover, the pieces of infonmation Yi, 
Ni and Li are provided to a modulo power calculator 305 to calculate Yl^ mod NI. The outputs of the modulo 
power calculator 305 and tiie modulo multiplier 313 are applied to a comparator 308, thereby checking 
whether the following equation holds or not 
Yi" a (Xi) • Vi® (mod Ni) (59) 

50 If this equation holds, tfien the shop 300 judges that the user 200 has correctly generated the response Yi 
by use of the secret infonmation of his own. and accepts tiie electronic coin as valid and receives it. 

The procedure to be perfonned between the shop 300 and the bank 100 and their functional blocks are 
substantially identical witfi tiiose shown in Rgs. 6D and 7D, respectively, and hence their detailed 
description will not be given. Only tiie difference from tiie procedure of Rg. 6D is that the information sent 

55 from the shop 300 to tiie bank 100 in Step S21 in Rg. 6D must further contain tiie number of use j of tiie 
electronic coin. In the case where the bank 100 detects invalid double usage of the electronic coin, it is 
checked whetiier a set of information (Vi, Xi, j) of the same values as the set of information received In Step 
Sci of Rg. 2D Has already been stored in the memory 111 (where 1 5 j ^ k), and tfie subsequent steps are 
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identical with those Sea through Scs. That is, when two sets of information (Vi, Xu j) of the same values exist 
for the same coin C, two sets of other infonnation (El, Yi) and {B , Yi ) of different values exist 
corresponding to them, respectively, and consequently, the con^sponding secret information Si can be 
calculated as described previously. Since the secret information Si contains the user identification infomna- 
5 tion IDp. the user 200 of double usage of the electronic coin can be identified. 



[Transfer of the electronic Coin as the j-th Use] 

70 AcconJing to the second embodiment it is possible to combine the afore-mentioned transfer of the 
electronic coin and its plural use. 

Now, a descriptibn will be given of the case where the user 200a transfers the electronic coin C, as its j- 
th use, to the user 2D0b and the latter uses the transferred electronic coin for payment to the shop 300. 
Rg. 12A shows the procedure to be performed between the user 2Q0a who is the transferor and the 
76 user 200b who is the transferee, and Fig. 13A illustrates their functional blocks in such a case. In the 
following,! = 1...., k/2. 

Step Si: At first, the transferor 200a reads out of the memory 211 the information {Nl, U, Vi. Bi. Xi, C} 
that he has, and transmits the information to the transferee 200b. 

Step S2: The transferee 200b verifies the validity of the signature of the bank 100 applied to Mi = Ni II 

20 Vi II Li or (Mi, Mit/2) in the license Bi or B of the transferor 200a by digital signature verification 
equipment 519A using the public key Oa and verifies the validity of the signature of the bank 100 applied to 
Xi fl ... II Xk/2 i Bi II ... II B|t/2 or Xi I ... II X|t/2 II B in the electronic coin C by digital signature verification 
equipment 5188 using the public key Oa'. In this instance, the afore-mentioned verification equation (45) or 
(45') is employed for the former verification and the afore-mentioned verification equation (46) or (48') is 

25 employed for the latter verificatfon. If either sign|ture is found invalid, then no further processing will be 
perfomned. 

Step S3: The transferee 200b sends, as an inquiry, the random number from the random generator 
503 to the transferor 200a 

Step 84: The transferor 200a inputs the received random number €\ and the pieces of information Si and 
30 Ni of his own, read out of the memory 211, into the modulo power calculator 222 to calculate Si^i mod 
Nl. The output of the modulo power calculator 222 and the pieces of information Hi and ^i*^!*, read out of 
the memory 211. are applied to the modulo multiplier 223 to calculate 
Yi m • Si^i mod Ni. 

The output Yi of the modulo multiplier 223 and j are sent as a response to the transferee 200b. Here, 
as is the same as that described previously in respect of Fig. 11, and ^{^^"^ which satisfies Eqs. (56), (57) and 
(58) are precalculated and prestored in the memory 211. 

Step Ss: The transferee 200b input the received j and the information Xi. read out of a memory 511, 
into a one-way function calculator 521 to calculate the same function ifid) as given by Eq. (58) using j as a 
parameter. On the other hand, the random number €i from the random generator 503 and the received 
40 pieces of infonnation Vi and Ni are provided to a modulo power calculator 504 to calculate Vi^ f mod Ni. 
and the output of the modulo power calculator 504. the output fj(XI) of the one-way function calculator 521 
and the information Ni are applied to a modulo multiplier 513 to obtain fj(Xi) Vi^t mod Ni. Moreover, the 
received response Yi and the pieces of information Ni and Li, read out of the memory 511. are applied to 
modulo power calculator 505 to calculate Yi" mod Ni. The outputs of the modulo power calculator 505 and 
45 the modulo multiplier 513 are provided to a comparator 506, thereby checking whether ttie following 
equation holds or not: 
Yi" a fj (Xi) • Vi^ ' (mod Ni) (60) 

If this equation holds, tiie transferee 200b judges tiiat tiie transferor 200a has correctiy generated the 

response Yi based on the secret Si of his own. 
50 Step Sg: Then tiie transferee 200b reads out his pieces of license §1, &)uz (or B) from the memory 

51 1 and sends them to the transferor 200a. ^ ^ ^ 
Step S7: The transferor 200a applies his signature to the received pieces of license §! B\az (or B) by 

use of signing equipment 233 which calculates the digital signature function of Eq. (47). for example, and 

sends the signed license, as the deed of transfer T. back to the transferee 200b. 
55 Step Ss: The transferee 200b input the public key Ni of the transferor 200a and the received deed of 

transfer T Into digital signature verification equipment 51 9C to check whetiier Eq. (48) holds or not In the 

case of using the one-piece license §. the check is made using Eq. (48 ). When the verification equation 

holds, the transferee 200b accepts tiie j-th coin as an invalid one. 
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Next, a description will be given of the case where the transferee 200b pays with the transferred 
electronic coin C to the shop 300. Fig. 12B shows an exannple of the procedure to be performed between 
the user 200b and the shop 300. and Fig. 13B illustrates their functional blocks in such a case. In the 
following, i = 1, .... k/2. 

5 Step Sg: The user^OOb reads out the received information group {Ni. Li. Vi. Xi, Bi. Yi. C. T. j} and the 
information group {Ni, Li. Vi, Bi. of his own from the memory 51 1 and transmits them to the shop 300. 

Step Si o: The shop 300 verifies the validity of the signature of the bank 100 applied to (Ni II Vi II Li) in 
the license Bi of the transferor 2Q0a by the digital signature verification equipment 31 9A using the public 
key Ba and verifies the validity of the signature of the bank 100 applied to (Xi II ... II Xk/a [| Bi 11 ... II Bic/2) in 

10 the electronic coin C by the digital signature verification equipment 31 9B using the public key - For the 
verification of the signatures, Eqs. (45) and (46) are used, respectively. In the case of the one-piece license 
B, Eqs. (45 ) and (46 ) are used. Moreover, the validity of the signature of the transferor 200a applied to (§1 
Q ... II B(c/2) In the deed of transfer T is verified by the digital signature verification equipment 31 9C following 
Eq. (48). In the case of the one-piece license B, Eq. (48 ) Is employed. 

rs Step Si 1 : Furthermore, the shop 300 inputs the received pieces of information ei, Vi and Ni into the 
modulo power calculator 314 to calculate Vi^ ' mod Ni. and applies the output of the modulo power 
calculator 314 and the received pieces of information NI and Xi to the modulo multiplier 313 to calculate 
Xi*Vi^' mod Ni. On the other hand, the received pieces of infonnation Yi. Ni and Li are provided to the 
modulo power calculator 315 to calculate yi*-' mod NI, and the output of the modulo power calculator 315 

20 and the outputs of the modulo multiplier 313 are input into the comparator 316 to check whether the 
following equation holds or not 
Yi»^ a Xi • Vl« * (mod NI) - 

If this equation holds, then the shop 300 judges that the received pieces of infomriation Vi and Xi are those 
of the transferor 200a. 

25 Step Si 2: Moreover, the shop 300 verifies the validity of the signature of the bank 100 applied to (Ni 0 
Vi 1 D) in the license Bi of the user 200b by the digital signature verification equipment 31 9D using the 
public key ©a- For this verification the same equation as Eq. (50) is used. In the case of the one-piece 
license B. the verification is carried out using the same equation as Eq, (50'). When the signature of the 
bank 100 is found invalid, the processing is discontinued. 

30 Step Si 3: To verify the validity of the user information 9i of the transferee 200b. the shop 300 sends to 
the user 200b, as an inquiry qi. the output time t of the timer 321. the random number 71 from the random 
generator 303 and the identification information IDv of the shop 300. At the same time, the pieces of 
information IDv, t and -yi are input into the one-way function calculator 322 to calculate Ei = f(qi) = f(IDv. t, 

7i). 

35 Step Si 4: The user 200b inputs the received pieces of information IDv. t and 71 into a one-way function 
calculator 522, and then applies its output Ei « f(IDv. t,7i) and the pieces of infonnation Si and Ni of his 
own. read out of the memory 511. to a modulo power calculator 523 to calculate S^* mod Ni. The output of 
the modulo power calculator 523 and the pieces of information ^i'^^'' and Ri are input into a modulo 
multiplier 524 to calculate the following equation: 

40 Yi = • §i ^ mod Ni 

This output of the modulo multiplier 524 and j are sent as a response to the shop 300. Incidentally, ^i"^^"^ 

« satisfies the following equation as is the case with the afore-mentioned and it is precalculated and 
stored in the memory 51 1 . 
= fj pG)^-^ * mod Ni 

45 Step Sis: The shop 300 applied the output E of the one-way function calculator 322 and the received 
pieces of information Vi and Ni to the modulo power calculator 304 to calculate Vi^ mod Ni. On the other 
hand, the received Information j and the information Xi read out of the memory 31 1 are provided to the one- 
way function calculator 350 to calculate fj(Xi). and the output of the one-way function calculator 350. the 
information Ni and the output of the modulo power calculator 304 are input into the modulo multiplier 313 to 

so obtain fj(Xi)*9i^ mod Ni. Moreover, the received pieces of infonnation Yi, Ni and U are applied to the 
modulo power calculator 305 to calculate YI l • mod Ni. The outputs of the modulo power calculator 305 and 
the modulo multiplier 313 are applied to the comparator 308, wherein it is checked whether the following 
equation holds or not 
YI ' a f, (Xi) • Vi ^ (mod Ni ) 

55 If this equation holds, the shop 300 judges that the information Vi is the information of the transferee 200b. 
and accepts the electronic coin C as a valid one. 

The procedure to be taken between the bank 100 and the shop 300 and their functional blocks are 
substantially the same as those shown in Rgs. 8C and 9C. and hence are not shown. The above-described 
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procedure differs from the previously described one in that the information group which is transmitted to the 
bank 100 in Step Sis of Rg. 8C is added with the number-of-use information j received from the user 200b. 
To detect Invalid double usage, the bank 100 checks in Step Sci of Rg. 2D as to whether the set of 
information of the same values as the received set of information (VI. Xi. j) is present in the memory 111, 

5 and the subsequent steps are the same as those Steps Sc2 through Scs- In the case where two sets of the 
same information (Vi, XI. j) are exist sets of Infomriation (B, Yi) and (Ei'. Yi') of different values 
con'esponding to them also exist, and the corresponding seaet infomnation Si can be calculated. Hence, the 
user of double usage can be identified. 

As has been described above, according to the present invention, by adapting protocols of the bank. 

10 the users and the shops to attain the intended purposes, It Is possible to implement electronic cash having 
the same functions as those of the prior art system, without taking into account the collision-free property of 
the two components of the function f which poses a problem in the prior art. 

By issuing the license in advance so that it is used for issuing the electronic coin, the processing for 
issuing the electronic coin involves only one blind signature generating procedure, and consequently, the 

75 burden of the processing can be lessened. 

Furthermore, the present invention permits the transfer of the electronic coin between users which is 
impossible with the prior art. That is, the user who has the electronic coin issued by the bank can transfer 
the electronic coin. In this instance, if the user transfers a used electronic coin to another user, or if the user 
transfers the same electronic coin to a plurality of users, the secret information of the user who fraudulently 

20 processed the electronic coin will be revealed as in the case where the same coin is used twice. 

Moreover, the present invention makes it possible to implement a system in which one electronic coin 
can be used a plurality of times within a fixed number of times. This system produces the same effect as In 
the case where the user possesses many coins though the amount of infonmation to be held is small (the 
same amount of infomnation as in the case of possessing one coin). 

25 It will be apparent that many modifications and variations may be^ effected without departing from the 
scope of the novel concepts of the present invention. 

Claims 

30 

1 . An electronic cash implementing method in which a bank issues electronic cash to a user, said user 
pays a third party with said electronic cash, and said bank settles accounts with a party who finally 
possesses said used electronic cash, said method comprising the following steps: 
wherein said usen 

35 (a) generates user information based on secret information containing identification information of his 

own, through utilization of a first one-way function; 

(b) obtains signed user information by having said bank apply blind signature to information 
containing said user information; 

(c) generates authentication information based on random information through utilization of a second 
40 one-way function; 

(d) obtains signed authentication information by having said bank apply blind signature to information 
containing said authentication information; 

(e) sends, as said electronic cash issued by said bank, electronic cash information containing said 
user Infomnation. said signed user information, said authentication information and said signed authentica- 

45 tion infomnation to said third party; 
wherein said third party: 

(f) verifies the validity of said signed user information and said signed authentication information 
contained in said electronic information received from said user; 

(g) if said validity Is verified, generates and sends an inquiry to said user; 
60 wherein said user: 

(h) generates a response based on at least said secret information generated by himself and said 
inquiry received from said third party and sends said response to said third party; 

wherein said third party: 

(i) verifies the validity of said response through utilization of said user information and said 
55 autiientication information contained in said electronic cash information received from said user and. if said 

response is valid, receives said electronic cash as valid one; 

(0 sends said electronic cash information, said Inquiry of said'tfiird party, and said response of said 
user to a fourtii party, as required. 

23 



EP 0 391 261 A2 



2. The electronic cash implementing method of claim 1 including a step wherein having when received, 
from a final party who possesses said used electronic cash, information containing said electronic cash 
information, said inquiry generated by said third party and said response generated by said user for 
settlement of accounts, said bank verifies the validity of said signed user information and said signed 

5 authentication information contained in said electronic cash information and the validity of said response of 
said user to said inquiry of said third party. 

3. The electronic cash implementing method of claim 2, wherein the step for settlement of accounts 
includes a step wherein said bank: 

detects invalid usage of said electronic cash by said user by checking whether or not a pair of pieces of 
10 information of the same vaiues as the pair of said user information and said authentication infonnation 
contained in said electronic cash exists in Information stored in a memory of said bank^and 
stores information containing said electronic cash information, said inquiry and said response in said 
memory. 

4. The electronic cash implementing method of claim 2, wherein said user possesses said signed user 
15 information as a license issued by said bank; in case of necessity, said user has said bank apply blind 

signature to information containing said authentication information and said license to obtain signed 
authentication infonmation and uses said signed authentication infonmation thus obtained, as an electronic 
coin issued by said bank; when said user uses said electronic coin, he sends an information group 
containing at least said license, said electronic coin, said user information and said authentication 
20 information, as said electronic cash, to said third party; and said third party and said bank verify the validity 
of said signed user infonmation and said signed authentication information as the verification of the validity 
of said license and said electronic coin. 

5. The electronic cash implementing method of claim 4. wherein said final party is said third party; said 
fourth party is said bank; and said inquiry generated by said third party contains identification information of 

25 said third party and time information. 

6. The electronic cash implementing method of claim 4, wherein said third party has secret infonmation 
and license of his own; and wherein when having verified that said response from said user is valid, said 
third party sends said license of his own to said user, and said user signs said third party's license and 
sends said signed license as a deed of transfer to said third party. 

30 7. The electronic cash implementing method of claim 6. wherein said final party is said fourth party; 
said fourth party receives from said third party at least said user's license, said electronic coin, said user 
information, said authentication information and said response which have been presented by said user, and 
said third party's license, said third party's user information and said Inquiry presented by said third party: 
said fourth party: 

35 verifies the validity of each of said user's license and said electronic coin; 
verifies the validity of said user's response to said third party's inquiry; 
verifies the validity of said third party's license; 

generates an inquiry containing identification information of said fourth party himself and time infonnation 
and sends said inquiry to said third party; said third party: 
40 generates a response based on said fourth party's inquiry, said third party's secret infonmation and 
information generated based on said user's authentication information and sends said response to said 
fourth party; 
said fourth party: 

verifies the validity of said third party's response through utilization of said third party's user information. 
45 said fourth party's Inquiry and said user's autiientication Information; and 

sends to said bank information containing said electronic cash information, said third party's inquiry, said 
user's response, said third party's license, said third party's user information, said fourth party's inquiry and 
said tiiird party's response. 

8. The electronic cash Implementing method of claim 7. wherein said step for the settlement of 
50 accounts includes a step wherein said bank verifies tiie validity of said third party's response to said fourth 

party's inquiry; a step wherein said bank detects invalid usage of said electronic coin by said third party by 
checking whether or not an information group of the same values as an Information group of said user's 
autiientication infonmation and said third party's user infonmation exists in information stored in said memory 
of said bank; and a step wherein said bank stores the information including said electronic cash information. 
55 said tiiird party's inquiry and said user's response into said memory. 

9. The electronic cash implementing metiiod of claim 4, wherein said bank permits said electronic coin 
to be used a predetenmined number K of times; in response to said third party's inquiry in a j-th (where 1 S 
j S K) use of said electronic coin, said user generates said response based on said user's secret infonmation 
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and information calculated fronn said user's authentication infonnation through utilization of a one-way 
function which varies using said value j as a parameter, and said user sends said response and said value j 
to said third party; and said third party verifies the validity of said response through use of said inquiry, said 
user's authentication information, said user's infonmation and said value j, and inserts said value j into said 

5 information to be,provided to said fourth party. 

10. The electronic cash implementing method of claim 9, further including a step wherein when having 
verified that said response from said user is valid, said third party sends license of his own to said user; 
said user signs said third party's license and sends said signed license as a deed of transfer to said third 
party; and said third party verifies the validity of said deed of transfer. 

10 11. The electronic cash implementing method of claim 9 or 10, further including a step wherein said 
bank receives also said value j from said final party and detects invalid usage of said electronic coin by said 
user by checking whether or not an infonmation group of the same values as the information group of said 
user information, said authentication infonmation and said value j exists in the information stored in said 
memory of said bank. 

75 12. The electronic cash implementing method of claim 1. 2 or 4, wherein said step of making said bank 
apply blind signature to said information containing said user infbmnation. Includes: 
a step wherein said user processes said information containing said user information with a one-way blind 
signature preprocessing function using a randomizing random number as a variable and sends said 
randomized infomnatton as randomized user information to said bank; 

20 a step wherein said bank signs a part of said randomized user information with a signature function and 
returns said signed information as signed-randomized user infonmation to said user; and 
a step wherein said user removes the influence of said randomizing random number from said signed- 
randomized user information with a blind signature postprocessing function to thereby obtain said signed 
user information. 

» 25 13. The ^ectronic cash implementing method of claim 12, further including: 

a step wherein said user generates k pieces of said secret information, k being an integer equal to or 
greater tiian 2, and k pieces of each of said user information and said randomized user information 
corresponding to said k pieces of secret information, respectively; and 

a step wherein having received said k pieces of randomized user information, said bank demands said user 
30 to present a predetermined number of groups of data containing said secret information and said 

randomizing random numbers used for the generation of those of said randomized user information 

selected by said bank, calculates said selected pieces of randomized user information from said group of 

data obtained from said user and verifies that the calculated results each coincide with the corresponding 

one of said randomized user information received from said user. 
35 14. The electronic cash implementing method of claim 13. wherein said part of randomized user 

information is a predetenmined second number of pieces of said randomized user information other than 

those used for said verification and said bank sends said predetermined second number of pieces of said 

signed randomized user infonmation to said user. 

15. The electronic cash implementing method of claim 1, wherein said step of making said bank apply 
40 said blind signature to said information containing said user Infonmation and said step of making said bank 

apply said blind signature to said information containing said authentication infonmation, include 

a step wherein: 

said user 

generates k. k being an integer equal to or greater than 2, pieces of said secret Information SI each 
45 containing said identification information IDp. generates k pieces of said random number information Ri, 
generates k pieces of said user infonmation Vi and k pieces of said authentication information Xi on the 
basis of said k pieces of secret infomnation Si and said k pieces of random information Ri by use of said 
first and second one-way functions, generates k pieces of said randomized user information Wl each 
randomized by applying each of said k pieces of user infonmation Vi as a variable to said one-way first blind 
50 signature preprocessing function, generates k pieces of said randomized authentication information 21 each 
randomized by applying each of said k pieces of authentication information Xi as a variable to said one-way 
second blind signature preprocessing function, and sends said k pieces of randomized user information Wi 
and said k pieces of randomized authentication information Zi to said bank; 
said bank: 

55 selects a predetermined first number ki of pieces of said randomized user information and k pieces of said 
randomized authentication information from said k pieces of randomized user information and said k pieces 
of randomized autiientication information, respectively, where ki is smaller tiian k, specifies ki information 
groups each con^ning said secret information Si and said random information Ri used for generating said 
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randomized user information Wi and said randomized authentication information Zi selected by said bank, 
and demands said user to present said specified ki information groups; 
said user: 

sends to said bank said kt infbnmation groups specified by said bank; 
5 said bank: 

calculates said kt randomized user Information Wi and said ki randomized authentication information Zi on 
the basis of said infonmation groups received from said user, verifies that the ki pieces of randomized user 
information Wi' thus calculated and the ki pieces of randomized authentication information Zi' thus 
calculated respectively coincide with said selected ki pieces of randomized user information Wi and said 

to selected ki pieces of randomized authentication information Zi, confinms that said identification information 
IDp of said user is contained in all pieces of said secret information Si in said information groups received 
from said user, generates a predetermined number k2 of pieces of signed-randomlzed user information Qj 
by signing, with a first signature function, kz pieces of randomized user information among said k pieces of 
randomized user information Wi received from said user, except said selected ki pieces of randomized 

ts user information, sends said kz pieces of signed-randomized user information Qi to said user, generates ka 
pieces of signed-randomized authentication information Gi by signing, with a second signature function, ks 
pieces of randomized authentication information among said k pieces of randomized authentication 
infonmation Zi received from said user, except said selected ki pieces of randomized authentication 
infonnation, and sends said k2 pieces of signed-randomized authentication information Q\ to said user; and 

20 said user: 

derandomizes said ka pieces of signed-randomized user information Qi and said kz pieces of signed- 
randomized authentication information 9i with first and second blind signature postprocessing functions, 
respectively, to obtain kz pieces of said signed user information Bvi and kz pieces of said signed 
authentication information 6x1; 
25 wherein processing related to said signed user infomnation and said signed auth#iticatlbn information In tlTe- 
use of said electronic cash is performed for said second number kz of pieces of signed user information 
and said second number kz of pieces of signed authentication information. 

16. The electronic cash implementing method of claim 15, wherein 
said user: 

30 generates k prime numbers Li, k pairs of secret prime numbers Pi and Qi. and k prime-number products Pi 
X Qi = Nl. calculates said user information Vi and said authentication information Xi from said secret 
information Si and said random information Ri by use of said first and second one-way functions 
respectively expressed by tiie following equations: 
Vi = Si*^ mod Ni 

35 Xi = Ri" mod Ni 
where i = 1 k. 

17. The electronic cash implementing metiiod of claim 16, wherein said final party is said third party 
and said fourtii party is said bank, and further including a step wherein when using said electronic cash with 
respect to said third party, said user sends kz sets of information {Vi, Bvi. Xi. Bxi} as electronic cash 

40 information to said third party, together with said prime-number product Ni and said prime number Li; said 
tiiird party produces kz pieces of said inquiry qi and sends them to said user, and for said kz items i. 
calculates inquiry information Ei by use of an inquiry function Ei = f(qi); said user calculates kz pieces of 
inquiry information B from said inquiry by use of said inquiry function B = f(qi). and generates and sends 
to said third party kz responses expressed by the followirig equation: 

45 Yi = Ri'Si^modNi; 

and said third party verifies the validity of said response Y] by checking It to ensure tiiat the following 
verification equation holds for ail of kz items i. by use of said response Yi: 
Yi*-'aXi'Vi^ (mod Ni). 

18. The electronic cash implementing metfiod of claim 17, furtiier including a step wherein said third 
50 party sends to said bank said electronic cash information {Bi. Bvi, Xi, Bxi}, said inquiry qi, said response Yi 

and said information Li and Ni for all of the kz items i for settlement of said electronic cash: said bank 
verifies the validity of said response Yi to said inquiry (IDv, t, 71) by checking whetiier or not the following 
verification equation holds for all of the kz items i: 
Yi"aXi*Vi^{modNi). 

55 19. The electronic cash implementing metiiod of claim 18. further including a step wherein said bank 
checks whether or not a pair of information of the same values as a pair of said user information and said 
autiientication information {Vi. Xi} received from said ttiird party exists in said memory of said bank; if such 
pair of infonmation does not exist, said bank stores in said memory ttie information received from said third 
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party; and if such pair of information exists, said banic reads out the corresponding inquiry qi' and response 
Yi' from said memory, calculates inquiry information Ei = f(qi ) from said read-out inquiry qi , solves, by 
the Euclid's algorithm, integers a and 0 which satisfy the following equation: 
a»Li + i3(B-Ei') = 1. 
5 calculates secret infomnatton Si by the following equation: 
Vi«*(Yi/Yiy mod Ni = Si, 

and detects from said calculated secret Information Si identification information IDp of said user who 
invalidly used said electronic cash. 

20. The electronic cash implementing method of claim 4, wherein said step of obtaining said license, 
10 includes a step wherein: 

said user: 

generates k, k being an integer equal to or greater than 2. pieces of secret infonmation SI, each containing 
said identification information, generates k pieces of said user infonmation Vi from k pieces of said secret 
information Si by use of said first one-way function, generates k pieces of said randomized user information 
/5 Wi by applying, as a variable, information Mi containing said user infonnnation to a one-way first blind 
signature preprocessing function, and sends said k pieces of randomized user information Wi to said bank; 
said bank: 

selects a predetemiined number ki, ki being smaller than k, of pieces of said randomized user information 
from said k pieces of randomized user infonnation WI received from said user, and demands said user to 
20 present specified number of sets of Information containing said secret information used by said user for 
generating said selected randomized user information; 
said user: 

sends said specified k? sets of information to said bank; 
said bank: 

25 calculates ki pieces of corresponding,, ranc[pmized user information Wi from said sets of infonmation 
received from said user, verifies that these calculated pieces of*randomized user information W\ respec- 
tively coincide with con'esponding pieces of said randomized user Infonmation Wi selected by said bank, 
confirms that said identification Information IDp of said user is contained in each of pieces of said secret 
infonmation Si In said sets of information received from said user, and generates a predetermined number 

30 kz of pieces of signed-randomized user information Qj by signing, with a first signature function, kz pieces of 
said randomized user infonmation among said k pieces of randomized user information Wi received from 
said user, except said selected ki pieces of randomized user information, and sends said k2 pieces of 
signed-randomized user Information Qt to said user; and 
said user 

35 obtained kz pieces of said signed user information Bi by derandomizing with a first blind signature 
postprocessing function each of said kz pieces of said signed-randomized user information received from 
said bank; and 

wherein said user uses said kz pieces of signed user information as said license issued by said bank. 

21. The electronic cash implementing method of claim 20, further including a step of issuing said 
40 electronic coin, wherein 

said user generates kz pieces of said random information Ri, generates from said kz pieces of random 
infonmation kz pieces of said autiientication information Xi by use of said second one-way function, 
generates said randomized authentication information Z by applying, as a variable, information m containing 
kz pieces of said license Bi and kz pieces of said authentication information Xi to a one-way second blind 
45 signature preprocessing function, and sends said randomized authentication information Z to said bank; 
said bank: 

generates said signed-randomized authentication infonmation 6 by signing with a second signature function 
said randomized authentication infonmation Z received from said user, and sends said signed-randomized 
authentication information 8 to said user; and 
so said user 

obtains, as said electronic coin C. said signed autiientication information by derandomizing said signed- 
randomized authentication infomiation 9 with a second blind signature postprocessing function. 

22. The electronic cash implementing method of claim 21. furtiier including a step wherein: 
said user 

55 generates k prime numbers Li, k pairs of secret prime numbers Pi and QI and k prime-number products Ni 
= Pi X Qi. calculates k pieces of said user infonmation Vi from k pieces of said secret information Si by- 
said first one-way function expressed by the following equation: 
Vi « Si" mod Ni. 
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where i = 1 k. 

23. The electronic cash implementing method of claim 22. further including a step wherein, supposing 
said kz items i = 1, ka, 

said user: 

5 generates kz pieces of said authentication information Xi by said second one-way function expressed by the 
following equation: 
Xi = Ri" mod Nl, 
wherein i = 1 kz. 

24. The electronic cash implementing method of claim 23, wherein said final party is said third party 
10 and said fourth party is said bank, and further including a step wherein: 

said user: 

when using said electronic coin C. furnishes saitf third party with said electronic cash information containing 
said electronic coin C. ka pieces of said license Bf. ka pieces of said user information Vi and ka pieces of 
said authentication information Xi, along with ka said prime numbers Li and ka pieces of said information Ni; 
75 said tiiird party: 

generates said inquiry qi, fumishes said user with said inquiry qi, and calculates ka pieces of inquiry 
infomnation Ei by an inquiry function Ei = f(qi); 
said user: 

generates inquiry information Ei from said inquiry qi by said inquiry function, generates kz pieces of said 
20 response Yi from said inquiry information Ei, said secret information Si and said random infonmation Ri by 
the following equation: 
Yi = Ri'Si^mod Nl. 
wherein i = 1, .... ka. 

and furnishes said tiiird party with said response Yi; and 
""25 laid third party: 

verifies the validity of said response Yi by checking it to ensure tiiat a verification equation expressed by 
the following equation: 
Yi^ a Xi'Vi^ (mod Ni). 
where i = 1, .... ka. 

30 holds, by use of said inquiry information E generated by himself and said user information Vi and said 
authentication information XI received from said user, and regards said electronic coin C as valid. 

25. The electronic cash implementing method of claim 24, furtfier including a step wherein: 
said third party: 

furnishes, for settlement of said electronic coin, said bank with information containing said electronic cash 
35 information {Vi. XI, Bi. C}, said prime-number products Ni, said prime numbers Li. said inquiry qi and said 
response Yi; 
said bank: 

verifies the validity of said response Yi to said inquiry qi by checking that the following equation holds: 
YI" m Xi*Vi^ (mod Ni), 
40 where 1 = 1. .... ka. 

26. The electronic cash implementing method of claim 25, further including a step wherein said bank 
checks whettier or not a pair of information of tiie same values as a pair of said user Information and said 
authentication information (Vi. Xi} received from said fourth party exists in said memory of said bank; if 
such a pair of infonmation does not exist, said bank stores in said memory the information received from 

45 said fourtii party; and If such a pair of Infomnation exists, said bank reads out the corresponding inquiry qi' 
and response Yi' from said memory, calculates inquiry information El' = f{qi') from said read-out inquiry qi' 
solves, by the Euclid's algorittim, integers o and 0 which satisfy tiie following equation: 
a-LI + j8{Ei-B') = 1. 

calculates secret Infomnation Si by tiie following equation: 
60 Vi«*(YiAl')^modNI = SI. 

and detects from said calculated secret information Si identification Information of said user who invalidly 
used said electronic coin. 

27. The electronic cash implementing method of claim 23, wherein said final party is said fourth party, 
and furtiier including a step wherein: 

55 said user 

when sending said elect^nic coin to said tiiird party, furnishes said third party witti infonmation containing 
said electronic cash information {Vi. Xi. Bi, C}, said prime-number products Ni and said prime numbers Li; 
said tiiinj party: 
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generates ka pieces of said inquiry 4} and sends them to said user: 
said user 

generates k2 pieces of response Yi from said inquiry ci, said random infonmation Ri and said secret 
Information Si by the following equation: 
5 Yi = Rl'Si^l mod Ni, 
where i = 1, .... kz, 

and sends said k2 pieces of response Yi to said third party; 
said third party: 

verifies the validity of said response by checking it to ensure that the following equation holds: 
TO Yi'J^Xi'Vi^i (modNI). 
where i = 1 , kg, 

and furnishes said user with kz pieces of license Bi of said third party; 
said user: 

generates a deed of transfer T by applying a signature, with use of the prime-number NI of said user, to 
75 said kz pieces of license Bi and sends said deed of transfer T to said third party. 

28. Tlie electronic cash implementing method of claim 27. further including a step wherein: 
said third party; 

when using said electronic coin, furnishes said fourth party with the infonmation Ni, LI, said electronic cash 
infomnation {Vi. X. Bi, C}, said deed of transfer T. said third party's inquiry^ ct, said user's response Yi. said 
20 third party's license Bi, and said third party's prime-number products Ni, prime numbers Li and user 
infonmation 9i used for generating said third party's license Bi; 
said fourth party; 

verifies the validity of said response Yi of said user by checking it to ensure that the following equation 
holds; 

25 Yi"=i 'Xi*Vi^i (mod NI), 
where i - 1, kz. 

generates an inquiry qi. sends said inquiry qi to said third party, and calculates inquiry information B from 
an inquiry function B = f(qi); 

said third party calculates inquiry information Ei from said inquiry qi received from said fourth party by said 
30 inquiry function B = f(qi). generates a response ?i from the following equations: 
? = Xi^'Lifpod Ni, 
Yi = $(*§i^modNi. 
where 1 = 1 kz 

and sends said response Yi to said fourth party; and 
35 said fourth party: 

verifies the validity of said response Yi of said third party by checking It, through use of said user's 
authentication information Xi, to ensure that the following equation holds: 
YiLisXi*Vi^(modN)i. 
where i = 1 ka. 

40 29. The electronic cash implementing method of claim 28. further including a step wherein: 
said fourth party: 

for settlement of said electronic coin, fumishes said bank with said electronic cash information {V\, Xi. BI, 
C}. pieces of the infonnation Ni. Li and Yi of said user, said deed of transfer T. the information {Ni, 9i, Li. 
BI. €\, 9i} of said third party and said inquiry qi of said fourth party; 
45 said bank: 

verifies the validity of said response Yi of said user and said response Yi of said third party by checking 

them to ensure that the following equations hold: 

Yi"BXi*Vi«i (modNi), 

where 1 = 1 ka, 

50 YiL'aXi-9i^(mod Ni). 

30. The electronic cash implementing method of claim 29. further including a step wherein said bank 

checks whether or not a pair of information of the same values as a pair of said user information and said 

authentication information {Vi. Xi} received from said fourth party exists in said memory of said bank: if 

such a pair of information does not exist, said bank stores in said memory the information received froni 
55 said fourth party; and if such a pair of infonmation exists, said bank reads out the corresponding inquiry qi 

and response Yi' from said memory, calculates inquiry information E\ = f(qi') from said read-out inquiry 

qi'. solves, by the Euclid's algorittim. Integers a and /3 which satisfy the following equation: 

a*U + fiiEi'B) = 1. 
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calculates secret information Si from the following equation: 
Vi°*(Yi/Y(')j9 mod Ni = Si, 

and detects from said calculated secret information Si the identification Information of said user who 
invalidly used said electronic coin C. 

5 31. The electronic cash implementing method of claim 29 or 30, further including a step wherein said 
bank checks whether or not a pair of information of the same values as a pair {% Xi} of said user 
information VI of said third party and said authentication information Xi of said user received from said 
fourth party, is stored in said memory of said bank; If such a pair of Information is not found, said bank 
stores in said memory the information received from said fourth party: and if such a pair of information is 

10 found, said bank reads out the corresponding inquiry qi' of said fourth party and the response Yi' thereto of 
said third party from said memory, cateulates inquiry information Ei' = f(qi') from said read-out inquiry qi', 
solves, by the Euclid's algorithm, integers a and jS which satisfy the following equation: 
a*LI + /3(B - El') = t. 

calculates secret infomnation Si from the following equation: 
75 Vi°*(Yi/YiV mod Ni = Si, 

and detects from said calculated secret information §i the identification information of said third party who 
invalidly used said electronic coin C. 

32. The electronic cash implementing method of claim 23. wherein said bank allows said electronic coin 
to be used a predetermined number K of times, said final party is said third party and said fourth party is 

20 said bank, and further including a step wherein: 
said user. 

furnishes said third party with said electronic cash information {VI. X, Bi, C} and information {Ni. U} at the 
time of a j-th use of said electronic coin by said user, where 1 ^ j ^ K; 
said third party: 

26 generates kz pieces of said inquiry qi, sends said inquiry qi to said user, and calculates inquiry information 
B by an inquiry function B = f(qi); 
said user: 

calculates said inquiry information Ei from said inquiry qi by said inquiry function Ei = f{qi), generates said 
response Yi from the following equations: 
30 = fiPQ)""^ mod Ni. 
where i = 1, .... fe, 
Yi = ^r'i^^-Si^ mod Ni, 

sends said response Yi to said third party, where ffiQ) is a function of Xi which varies with j as a parameter; 
and 

35 said third party: 

verifies the validity of said response Yi by checking it to ensure that the following equation holds: 
Yi"»fj(Xi)»Vi^ (mod Ni), 
where i = 1 kz. 

33. The electronic cash implementing method of claim 23. wherein said bank allows said electronic coin 
40 to be used a predetermined number K of times, and further including a step wherein: 

said usen 

furnishes said third party with said electronic cash infonmation {Vi. Xi, Bi. C} and information {Ni. Li} at the 
time of a j-th use of said electronic coin by said user, where 1 ^ j ^ k: 
said third party generates said inquiry and sends it to said user; 
45 said user. 

generates said response Yi by the following equations with use of said inquiry ej: 

= ffiQ)^^ mod Ni. 
where i = 1. .... k2, 
Yi = *i^i**Si^ i mod Ni. 

50 and sends said response Yi to said third party, together with j. where fj(Xi) is a function of Xi which varies 
with j as a parameter; 
said third party: 

verifies the validity of said response Yi by checking it to ensure that the following equation holds: 
Yi*^afj{Xl)*Vi^l (modNi). 

55 where i = 1 ka, 

and furnishes said user with a license Bi. where i = 1, ka. which said third party has; 
said usen 

generates a deed of transfer T by applying a signature, with use of a prime-number product Ni of said user, 
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to said license Bl of said third party and sends said deed of transfer T to said third party. 

34. The electronic cash implementing method of claim 33, wherein said final party is said fourth party, 
and further including a step wherein: 

said third party: 

5 when using said electronrc coin C. furnishes said fourth party with said electronic cash information {Vi, Xi, 
Bi, C} information {Ni, Li. T. Yi. j} of said user and information {Ni, Li, §i, €(} of said third party; 
said fourth party: 

verifies the validity of said response Yi of said user by checking it to ensure that the following equation 
hold: 

10 Yi*^BXi*Vi^i (modNi). 
where i = 1, kz, 

generates an inquiry qi, sends said inquiry qi to said third party, and calculates inquiry information Ei from 
an inquiry function O = f(qi); 
said third party: 

75 calculates said inquiry function Ei from said inquiry qi by said inquiry function Ei = f(qi). generates a 

response 9i by the following equations: 

^r,*^ = f|(Xi)^'Limad Ni, 

Yi =: V^^'Si^' mod Ni. 

where i = 1 k2. 

20 and sends said response Yr to said fourth party; and 

said fourth party: 

verifies the validity of said response ?i of said third party by checking it to ensure that the following 
equation holds: 
YiLisfj(Xi)*Vi^ (mod Ni), 
25 where i = U2. ^ ^ 

35. The electronic cash implementing method of claim 32. further including a step wherein, when 
having received information containing said electronic cash information {Vi. Xi, Bl. C}, the information {Ni. 
LI, Yi. j} of said user and the inquiry ql of said third party, from said final party for settlement of said 
electronic coin, said bank calculates inquiry information B by said inquiry function B = f(qi), and checks 

30 whether or not a set of information of the same values as a set of said user information Vi, said 
authentication information Xi and said j is stored in said memory of said bank; and if such a set of 
infomiation Is found, said bank reads out the con^esponding Inquiry qi' of said third party and the 
corresponding response Yi of said user from said memory, calculates inquiry information Ei' = f(ql') from 
said read-out Inquiry qi', solves, by the Euclid's algorithm, integers a and j8 which satisfy the following 
equation: 

a*Li + fi{E\' Ei) = 1, 
where 1 = 1, kz, 

calculates secret information Si from the following equation: 
V(**(Yi/Yiy mod Ni = Si, 
where i = 1, .... kg, 

and obtains from said calculated secret information Si the identification information IDp of said user who 
invalidly used said electronic coin. 

36. The electronic cash implementing method of claim 4, wherein said step of making said bank apply 
said blind signature to said information containing said user information, includes a step wherein: 
said user 

generates k, k being an integer equal to or greater than 2. pieces of said secret information SI each 
containing said identification information, generates k pieces of said user information Vi from said k pieces 
of secret information Si by use of said first one-way function, generates k pieces of said randomized under 
infomiatton Wi randomized by applying, as a variable, information Mi containing each of said k pieces of 
user information Vi to a one-way first blind signature preprocessing function, and sends said k pieces of 
randomized user information Wi; 
said bank: 

when having received said k pieces of randomized user information Wi. selects therefrom a predetermined 
first number ki of pieces of said randomized user infonmation, ki being smaller tiian k, specifies sets of 
information each containing said secret information Si used by said user for generating said randomized 
user information, and demands said user to present said specified sets of infomnation; 
said user 

furnishes said bank with said ki sets of information specified by said bank; 
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said bank: 

calculates, from said sets of infonnation received from said user, ki corresponding pieces of randomized 
user information Wi', verifies that said calculated randomizecj user information Wi coincide with the 
corresponding pieces of said selected randomized user information Wi. respectively, confirms that said 

5 identification information IDp of said user is contained in all the pieces of said secret information in said 
sets of information received from said user, generates signed-randomized user information Q by signing, 
with a first signature function, multiplex randomized user information obtained from a predetermined number 
kz of pieces of said randomized user information among said k pieces of randomized user information 
received from said user, except said selected kt pieces of randomized user information, sends said signed- 

70 randomized user information Q to said user; and 
said user 

derandomizes said signed-randomlzed user information n. received from said bank, with a first blind 
signature postprocessing function to obtain said signed user information B; 
wherein said user uses said signed user infonmation B as said license issued by said bank. 
76 37. The electronic cash implementing method of claim 36, wherein said step of issuing said electronic 
coin, including a step wherein: 
said user: 

generates ka pieces of said random Information Ri, generates therefrom k2 pieces of said authentication 
information Xi by a second one-way function, generates said randomized authentication information Z by 
20 applying information m containing said k2 pieces of said authentication information Xi and said license B. as 
a variable, to a one-way second blind signature preprocessing function, and sends said randomized 
autiientication information Z to said bank: 
said bank: 

generates said signed randomized autiientication information 9 by signing said randomized authentication 
25 information Z with a second signature function, and sends said signed-randomized authentication informa- 
tion 6 to said user, and 
said user: 

derandomizes said signed-randomized autiientication infonmation e witii a second blind signature post- 
processing function to obtain said signed authentication information as said electronic coin C. 
30 38. The electronic cash implementing method of claim 37. further including a step wherein: 
said user: 

generates k prime numbers Li, k pairs of secret prime numbers Pi and Qi and k prime-number products Ni 
= Pi X Qi, calculates k pieces of said user information Vi from k pieces of said secret information Si by 
said first one-way function expressed by the following equation: 
35 Vi = Si^' mod Ni, 
where i = i k. 

39. The electronic cash implementing metiiod of claim 38. further including a step wherein, letting said 
kz items i be 1, .... kz, 
40 said user 

generates kz pieces of said authentication infonmation Xi by using said second one-way function expressed 
by the following equation: 
Xi = Ri^ mod Ni. 
where i = 1, kz. 

45 40. The electronic cash implementing metiiod of claim 39. wherein said final party is said tfiird party 
and said fourth party is said bank, and furtiier including a step wherein: 
said user 

when using said electronic coin, furnishes said third party with said electronic cash information containing 
said elect-onic coin C, said license B, kz pieces of said user infonnation Vi and ka pieces of said 
50 authentication infonnation Xi, kz said prime numbers Li and kz said prime-number products Ni; 
said third party: 

generates said inquiry qi, sends said inquiry qi to said user, and calculates ka pieces of inquiry information 
B from an inquiry function Ei = f{qi). 
said user 

55 generates inquiry information B from said inquiry qi by said inquiry function, generates ka pieces of said 
response from said inquiry information Ei, said secret infonmation Si and said secret random information Ri 
by the following equation 
Yi = Ri*Si® mod Ni. 
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where i = 1. .... ka, 

and sends said k2 pieces of response to said third party; and 
said third party: 

verifies the validity of said response Yi by checking them to ensure that the following equation 
5 yi" aXi*Vi^'(mod Ni), 
where i = 1, .... ka 

holds, by use of said inquiry infonmation Ei formed by himself, said user information Vi and said 
authentication infonnnation Xi received from said user, and authenticates said electronic coin as valid. 

41 , The electronic cash implementing method of claim 40, further including a step wherein: 
10 said third party: 

for the settlement of said electronic coin, furnishes said bank with information containing said electronic 
cash information (Vi, Xi. B, C). said prime-number products Ni. said prime numbers Li, said inquiry qi and 
said response Yi; 
said bank: 

75 verifies the validity of said response Yi to said inquiry qi by checking that the following equation holds: 
Yi^aXi'Vi® (mod Ni). 
where i = 1 ka. 

42. The electronic cash implementing method of claim 41. further including a step wherein said bank 
checks whether or not a set of information of the same values as a set of said user information and said 

20 authentication information {Vi. Xi} received from said fourth party exists in said memory of said bank; if 
such a pair of information is found, said bank stores in said memory said information received from said 
fourth party; and if such a pair of infbnriation is found, said bank reads out of said memory the 
corresponding inquiry qi' and response Yi', calculates an inquiry information Ei' f(qi') from said read-out 
inquiry qi'. solves, by the Euclid's algorithm, integers a and fi which satisfy the following equation: 

25 a*Li + p{B'E\) = 1. c- * 

calculates secret information Si by the following equation: 
V\°'*<ymy mod Ni =: Si, 

and obtains from said calculated secret information Si the identification infomnation IDp of said user who 
invalidly used said electronic coin. 
30 43. The electronic cash implementing method of claim 39. wherein said final party is said fourth party, 
and further including a step wherein: 
said user 

when transferring said electronic coin to said third party, furnishes said third party with information 
containing said electronic cash information {Vi, Xi, B. C}, said prime-number products Ni and said prime 
35 numbers Li; 
said third party: 

generates kz pieces of said inquiry €| and sends it to said user; 
said user: 

generates kz pieces of response Yi by the following equation 
40 Yi = Ri'Si^i mod Ni. 
where i = 1. .... k2. 

by use of said secret random information Ri and said secret information Si, and sends said response Yi to 
said tiiird party; 
said tiiird party: 

45 verifies the validity of said response by checking it to ensure that the following equation holds: 
Yi"oXi*Vi^i (mod Ni). 
where i = 1 kz. 

and fomishes said user witii a license § which said third party has; 
said user: 

50 generates a deed of transfer T by applying a signature, with use of the prime-number Ni of said user, to 
said license § of said third party, and sends said deed of tiwsfor T to said third party. 

44. The electronic cash implementing method of claim 43. further including a step wherein: 
said tiiird party: 

when using said electronic coin, furnishes said fourth party with the information Ni. Li, said electronic cash 
55 information {Vi. Xi, B, C}, said deed of transfer T, said third party's inquiry €i, said user's response Yi. said 
tiiird party*s license B and said third party's prime-number products Ri, prime numbers Li and user 
information Vi used for generating said tiiird party's license §; 
said fourtti party: 
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verifies the validity of said response Yi of said user by checking it to ensure that the following equation 
hold: 

Yi*^aXi'Yi^i (mod Ni), 
where i = 1 kz, 

5 generates an inquiry qi. sends said inquiry qi to said third party, and calculates inquiry information El by an 
inquiry function Ei = f(qi); 
said third party: 

calculates inquiry information Ei from said inquiry qi from said fourth party by said inquiry function B = f- 
(qi). generates a response Yi by the following equations 
10 5i = XI^'Li nncd Ni. and 
Yi = 5i'§l^ mod NI, 
where i = 1 ka 

and sends said response Yi to said fourth party; and 

said fourth party verifies the validity of said response Yi of said third party by checking it to ensure that the 
IS following equation holds: 
YiLiaXi'Vi^ (mod NI). 
where i = 1, .... kzi 

by use of said auttientication information Xi of said user. 

45. The electronic cash implementing method of claim 44, further Including a step wherein: 
20 said fourth party: 

for settlement of said electronic coin, furnishes said bank with said electronic cash information {Vi, X, B, CJ, 
said pieces of information Ni, Li and Yi of said user, said deed of transfer T. said information {NI, Vi, U. B. 
ei, ?} of said third party and said inquiry qi of said fourth party; and 
said bank: 

25 verifies the validity of said response "Vi of said user and said response Yi of said third party by checking 
them to ensure that the following equations hold: 
Yi"aXi*Vi^i (modNi), 
where 1 = 1. .... k2, and 
YiL*»Xi*9i^i (modFli). 

30 46. The electronic cash implementing method of claim 45, further including a step wherein said bank 
checks whether or not a pair of information of the same values as a pair of said user information and said 
authentication information {Vi, Xi} received from said fourth party exists in said memory of said bank; if 
such a pair of infonmation is not found, said bank stores in said memory said infomnation received from said 
fourth party; and If such a pair of information is found, reads out of said memory an inquiry qi and a 

35 response Yi' corresponding thereto, calculates inquiry information Ei' = f(qi') from said read-out inquiry qi . 
solves, by the Euclid's algorithm, integers a and 0 which satisfy the following equation: 
tt'U + ^ (Ei - Ei') = 1. 

calculates secret information SI by the following equation: 
Vi'*'(YiAl')^mod Ni = Si, 

40 and obtains from said calculated secret information Si the identification information IDp of said user who 
invalidty used said electronic coin C. 

47. The electronic cash implementing method of claim 45 or 46, further including a step wherein said 
bank checks whether or not a pair of Information of the same values as a pair {VI. Xi} of said user 
Information Vi of said third party and said authentication information Xi of said user received from said 

45 fourth party is stored in said memory of said bank; If such a pair of information is not found, said bank 
stores in said memory said Information received fnDm said fourth party; and is such a pair of information is 
found, said bank reads out of said memory the conresponding inquiry qi of said fourth party and a 
response Yl' thereto of said third party, calculates inquiry information Ei = f(qi ) from said read-out Inquiry 
qi'. solves, by the Euclid's algorithm, integers a and i3 which satisfy the following equation: 

60 a-Li + )3(Ei-Ei') = 1, 

calculates secret information SI from the following equation: 
Vi«*(Yi/Yi')^ mod Ni = Si. 

and obtains from said calculated secret infonmation §i the identification information of said tiiird party who 
Invalldly used said electronic coin C. 
55 48. The electronic cash implementing metiiod of claim 39, wherein said bank allows said electronic coin 
to be used a predetermined number K of times, said final party is said third party and said fourth party is 
said bank, and further including a step wherein: 
said user 
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at the time of a hth use of said electronic coin, furnishes said third party with said electronic cash 
information {Vi, Xi, B. C} and information {Ni. Li}, where 1 ^ j ^ k; 
said third party: 

generates kz pieces of said inquiry qi. sends said inquiry qi to said user, and calculates inquiry information 
5 B by an inquiry function El = f(qi); 
•said user 

calculates inquiry information Ei from said inquiry qi by said inquiry function Ei = f(qi). generates said 
response Yi from the following equations: 

= fj(Xi)''" mod Ni, . . 

10 where 1 = 1 ka, and 

Yi = ^r<i>'Si^' mod NI. 

sends said response YI to said third party, together with j, where fjP<i) Is a function of Xi and varies with j as 
a parameter; and 
said third party: 

75 verifies the validity of said response Yi by checking it to ensure that the following equation holds: 
ri"afj(Xi)'Vi^ (mod Ni). 
where i = 1, .... ka. 

49. The electronic cash implementing method of claim 39, wherein said bank allows said electronic coin 
to be used a predetemnined number K of times, and further including a step wherein: 

20 said user 

at the time of a j-tii (where 1 ^ j ^ K) use of said electronic coin, furnishes said third party with said 
electronic cash information {Vi, Xi, B, C} and information {Ni, Li}, where 1 S j S K; 
said third party: 

generates and sends said inquiry 6| to said user; 
* -25 said user. 

generates said response Yi by the following equations: 
^{"^ = ffiay^ mod Ni. 
where i = 1, .... kz. and 
Yi = ^i^i^-SiM mod Ni 

30 and sends sard response Yi to said third party, together with j, where fj(Xi) is a function of Xi which varies 
with j as a parameter; 
said third party: 

verifies the validity of said response Yi by checking it to ensure that the following equation holds: 
Yi"afKXi)*Vi^i (modNi). 

35 where i = 1 kz, 

and sends to said user the license § that said third party has; 

said user generates a deed of transfer T by applying a signature, with use of a prime-number product NI. to 
said license § of said tiiird party, and sends said deed of transfer T to said third party. 

50. The electronic cash implementing metiiod of claim 49, wherein said final party is said fourth party, 
40 and further including a step wherein: 

said third party: 

when using said electronic coin, fumishes said fourtfi party witii said electronic cash information {Vi. Xi. B, 
C}, information {Ni. Li, T. Yi, j} of said user and information {f5i, Li. §, ei} of said third party; 
said fourtii party: 

45 verifies the validity of said user's response Yi by checking it to ensure tiiat the following equation hold: 
Yi^* a Xi*Yi^l (mod NI). 
where i = 1 ka, 

generates an inquiry qi, sends said inquiry qi to said tfiird party, and calculates inquiry information Ei by an 
Inquiry function B = f(qi); 
50 said third party: 

calculates inquiry infonmation Ei from said inquiry qi from said fourtii party by said inquiry function Ei = f- 
(qi). generates a response Yi by the following equations: 
$l<i> , xi"^'mod Ri. and 
Y, = ?i****Si^ mod NI. 

55 where 1 = 1 ka 

and sends said response Yi to said fourth party; and 
said fourth party: 

verifies the validity of said response Yi by checking it to ensure tiiat tiie following equation holds: 
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9iL'aXi*Vi® (mod Ni). 
where i = 1, .... ka. 

51. The electronic cash implementing method of claim 48, further including a step wherein, when 
having received from said final party, for settlement of said electronic coin, information containing said 

5 electronic cash information -{Vi, Xi. B, C}, the information {Ni, Li. Yi. j} of said user and said third party's 
inquiry qi, said bank calculates inquiry information Ei by said inquiry function El = f(qi); sand bank checks 
whether or not a set of infomnation of the same values as a set {Vi, XI, j} of said user information Vi. said 
authentication infomaation Xi and said j is stored in said memory of said bank; if such a set of information is 
found, said bank reads out of said memory the corresponding inquiry qi' of said third party and the 

TO response Yi thereto of said user, calculates inquiry information Ei' = f(qi') from said read-out inquiry qi'. 
solves, by the Euclid's algorithm, integers a and j8 which satisfy the following equation: 
a-Li + j8{B-Ei') = 1. 
where i = 1 kz, 

calculates secret information Si from the following equation: 
75 Vi«'(Yi/Yi')^mod Ni = Si. 

and obtains from said calculated secret information Si the identification information IDp of said user who 
invatidiy used said electronic coin. 

52. An electronic cash implementing user system in which a bank issues electronic cash to a user and 
the user pays to a third party with said electronic cash. 

20 comprising: 

secret information generating means for generating secret information containing identification infomnation; 
user information generating means whereby user information is produced, by use of a first one-way 
function, from said secret information provided from said secret information generating means; 
first blind signature preprocessing means whereby Information, containing said user information provided 
25 from, said user information generating means is subjected to one-way blind signature preprocessing to 
produce randomized user information; 

first blind signature postprocessing means whereby signed randomized user information produced by 
signing said randomized user information by said bank is derandomized to obtain signed user infomnation; 
secret random information generating means for generating secret random infomnation; 
30 authentication information generating means whereby authentication infonmation Is produced, by use of a 
second one-way function, from said secret random information provided from said secret random informa- 
tion generating means; 

second blind signature preprocessing means whereby said autiientication information provided from said 
authentication information generating means is subjected to one-way blind signature preprocessing to obtain 
35 randomized authentication information; 

second blind signature postprocessing means whereby signed authentication information produced by 
signing said randomized authentication information by said bank is derandomized to obtain signed 
authentication information; and 

response generating means whereby a response is produced by use of said secret random information in 
40 response to an inquiry from said tfiird party. 

53. The user system of claim 52, wherein said second blind signature preprocessing means includes 
concatenating means for concatenating said authentication information and said signed user information into 
a concatenated message, and a onerway preprocessing function operator for randomizing said concat- 
enated message witii a random number to produce said randomized user information. 

45 54. The user system of claim 53. further including a one-way signature function operator whereby said 
user attaches a signature to signed user infomnation of said third party provided therefrom. 
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